Access Control Flashcards
Is a passive entity (system or process) a subject or an object?
Object
Is an active entity (individual or process) a subject or object?
Subject
Which type of control is used to reduce risk?
Preventative, deterrent, corrective, recovery, detective, compensating, directive
Preventative
Which type of control identifies violations and incidents?
Preventative, corrective, detective, compensating, recovery, deterrent, directive
Detective
Which type of control is used for re mediating violations and incidents and improving preventative and detective controls?
(Preventative, detective, deterrent, corrective, compensating, recovery, directive)
Corrective
Which control is used for discouraging violations?
Preventative, corrective, deterrent, recovery, detective, compensating, directive
Deterrent
Which type of control is used for restoring systems and information?
(Preventative, detective, deterrent, corrective, recovery, compensating, directive)
Recovery
Which of these determines whether a subject can login?
Authentication, Authorisation, Accountability
authorisation
Which control provides alternative ways of achieving a task?
Preventative, corrective, recovery, compensating, detective, deterrent, directive
Compensating
Which of these determines what a subject can do? Ie access rights and permissions? (Authentication, authorisation, accountability)
Authorisation (or establishment)
What is non-repudiation?
It means that a user can’t deny an action because their identity is positively associated with their actions
Which of these determines what a subject did?
Authorisation, authentication, accountability
Accountability
For the CISSP exam is an ATM card considered 2FA?
Yes
How many characters does a password have to be for it not to be stored in AD or local SAM (Security Account Manager)?
15 or longer
Biometrics: what is a one to one search?
Identify matched against an image file
Biometrics: what is a one to many search?
Identity matched against a database of identities
Which type of authentication system is a false reject rate or type 1 error used?
Biometric system
Note for exam: is biometric authentication considered 2fa?
No
What is a false reject rate (FRR) or type 1 error?
The percentage of authorised users to whom a system incorrectly denies access
What is a false accept rate (far) or type 2 error?
The percentage of unauthorised users to whom the system incorrectly grants access
In biometrics what is the crossover error rate (CER)?
The point at which the false accept rate equals the false reject rate
Which of these is considered the most important in biometric system accuracy? (False accept rate, false reject rate, crossover error rate)
Crossover error rate
CISSP answer: what is the most common difficulty about implementing a biometric system?
User acceptance
Generally accepted standards for biometric systems Accuracy = Speed = Throughput = Enrolment time =
Accuracy = crossover error rate less than 10%
Speed = 5 seconds
Throughput = 6 to 10 per minute
Enrolment time = less than 2 mins
What is the difference between a finger scan system and finger print system?
Finger scan systems don’t store an image of the finger print, but rather a digitised file describing its unique characteristics
What are the two benefits of a finger scan system over a finger print system?
- Less storage and processing resources
- greater user acceptance as image of fingerprint not stored ie concerns with privacy
What is a hand geometry system?
Digitise image recording length, width, height and other unique characteristics of hand and fingers
Biometrics: what is the difference between a retina pattern and iris pattern?
Retina pattern records unique pattern in the vascular elements of the retina
Iris pattern records unique patterns of the colour portion surrounding the eye.
What is the most secure biometric system?
Fingerprint/scan, hand geometry, iris pattern, retina pattern, signature, voice recognition, keystroke dynamics
Iris pattern
Two examples of one time passwords are:
- tokens
- s/key protocol
What are the 3 general types of tokens?
- static password tokens
- synchronous dynamic password tokens
- asynchronous (challenge-response) dynamic password tokens
Which type of token is a digital certificate?
- static password token
- synchronous dynamic password token
- asynchronous dynamic password token (challenge-response)
Static password token
Which type of token uses fixed time intervals?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token (challenge-response)
synchronous dynamic password token
Which type of token uses challenge-response?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token
Asynchronous dynamic password token
Name a third party ticket based solution that uses SSO
Kerberos (symmetric key authentication protocol)
Basic Kerberos Operation
- Client prompts subject for username/password. Using password client temporarily generates and stores secret key and sends username to the KDC (key distribution centre’s) AS (authentication server)
- AS verifies that user exists in KDC database. KDC Ticket Granting Service (TGS) generates a client/TGS session key encrypted with subject secret key. TGS generates Ticket Granting Ticket (TGT) consisting of subjects identification, client network address, time period of ticket and client /TGS session key. TGS encrypts TGT using secret key and sends client /TGS session ket and TGT to client.
- Client decrypts client/TGS session key using secret key generated by subjects password, authenticates user and erases stored secret key. Client can’t decrypt TGT which TGS encrypted using TGS secret key.
- When subject requests access to object (server), it sends the TGT, object identifier (server name) and an Authenticator to the TGS on the KDC. Authenticator is separate msg containing client iD and time stamp and uses client/TGS session key to encrypt itself
- TGS on KDC generates both client/server session keyhole to encrypts using client/TGS session key which consists on subject ID, Client Network Address, time stamp, client/server session key. TGS encrypts service ticket using secret key of object (server). TGS sends client/server session key and service ticket to client.
- Client decrypts client /server session key using client/TGS session key. Client can’t decrypt service ticket which TGS encrypted using secret key of object (server)
- Client then communicates directly with server. Client sends service ticket and an Authenticator to server. Client encrypts Authenticator consisting of subject ID and time stamp using client/server session key that TGS generated. Server decrypts service ticket Using its secret key. Service ticket contains client/server session key which allows server to decrypt Authenticator. I’d subject ID and time stamp are valid (according to sub ID, client net add and valid period specified in service ticket) then comms between client/server is established. Client/server session key used for secure comms between subject and object
Two common issue with using SSO
- grants access to entire network and systems with single password
- doesn’t always integrate well in different systems
In Kerberos, what is a session key?
A dynamic key that is generated when needed, shared between two principals and then deleted when no longer needed
In Kerberos, what is a secret key?
A static key used to encrypt a session key
What does SESAME stand for?
Secure European Systems and Applications in a Multi-Vendor environment
Which ticket based system uses symmetric and asymmetric cryptography to distribute secret keys and securely transmit data?
Kerberos or SESAME
SESAME
Which ticket based system uses public key cryptography to communicate between different organisations or security domains?
SESAME
Which ticket based system has the following security flaws? (Kerberos, SESAME, KryptoKnight)
- it uses an XOR function for encryption
- it performs authentication based on a small segment of a message instead of entire message
- it’s key generation is not very random
- it’s vulnerable to password guessing attacks
SESAME
Which ticket based system provides peer to peer relationships between the KDC and it’s principals, provides two party authentication, key distribution and data integrity services?
(Kerberos, SESAME, KryptoKnight)
KryptoKnight
Which ticket based system can function at any layer of the OSI model and doesn’t use clock synchronisation?
(Kerberos, SESAME, KryptoKnight)
KryptoKnight
What is a nonce?
A number used once, randomly generated that can only be used once to authenticate a session?
What are three examples of ticket based technologies that provide SSO services?
Kerberos, SESAME, KryptoKnight
Which two methodologies generally define access controls?
- centralised
- decentralised
Remote Access Service (RAS) utilises the Point to Point Protocol (PPP). Which 3 types of centralised authentication types use this?
PAP - Password Authentication Protocol
CHAP - Challenge Handshake Authentication Protocol
EAP - Extensible Authentication Protocol
Which authentication protocol uses a two way handshake to authenticate with a peer to peer server?
PAP, CHAP or EAP
PAP
Which authentication protocol transfers passwords in clear text and is susceptible to replay and brute force attacks?
PAP, CHAP or EAP
PAP
Which two types of packets are used by a two way handshake?
Synchronise and Acknowledgement
Which authentication protocol uses a 3 way handshake?
PAP, CHAP or EAP
CHAP
Which authentication protocol uses Shared Secrets?
PAP, CHAP or EAP
CHAP
What enhancement to CHAP allows for a shared secret to be stored encrypted using a MD5 one way hash function.
MS-CHAP
Which authentication protocol utilises multiple authentication mechanisms including MD5-challenge, S/Key, generic token cards, digital certs, etc.
PAP, CHAP or EAP
EAP
Which authentication protocol does a wireless network commonly implement?
PAP, CHAP or EAP
EAP
Which Authentication protocol uses UDP at the Application Layer and allows for authentication, authorisation and accountability (AAA)?
RADIUS
What are the benefits of the next generation RADIUS protocol, Diameter?
- Uses TCP
- Uses Stream Control Transmission Protocol (SCTP)
- Uses IPSec or TLS rather than PAP or CHAP
What are the benefits of the authentication protocol TACACS (Terminal Access Controller Access Control System)?
Supports various authentication mechanisms and allows more granular authorisation parameters
LDAP, RAS (PAP, CHAP, EAP), RADIUS, Diameter, TACACS are all type of what system for remote access?
Centralised or decentralised?
Centralised
Which type of access control system would would describe a database or multi domain or trust environment?
Centralised or decentralised?
Decentralised
Data access controls fall into 2 categories. What are they?
Discretionary and mandatory
If an access control is Discretionary who determines the policy? owner or system.
Owner
File/data ownership and access right/permission are an important concept of which access control technique? Discretionary or Mandatory
Discretionary
What are the 3 basic access rights?
Read, Write and Execute
What is an access control list (ACL)?
Defines the access rights/permissions that a subject has on an object
ACL’s and role based controls are techniques used for which type of access control? Discretionary or Mandatory.
Discretionary
The following are 3 disadvantages to using which type of access control method? Discretionary or Mandatory?
- lack of centralised admin
- reliance on resource owner defining controls
- difficult to audit due to large number of logs generated
Discretionary
Which type of access policy is determined by the system? Discretionary or Mandatory.
Mandatory
Sensitivity labels and Data Import/Export are two important concepts of which type of access control? discretionary or mandatory?
Mandatory
Which model users a mathematical structure that defines greatest lower bound and least upper bound values for a pair of elements, ie subject and object. (Could be used to determine least level of privilege to access a set of files. Rule-based or lattice-based?
Lattice-based
lattice-based is an access control methods for which type of access? Discretionary or Mandatory?
Mandatory
The following disadvantages are akin to which type of access control? Discretionary or mandatory?
- user frustration
- difficult to implement and program
- not flexible
Mandatory
Access Models: Which of these access models was purely developed for confidentiality? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.
Bell-La Padula
The basic premise of which access model is that information cannot flow downward? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model
Bell-La Padula
Which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) do the following two properties relate to:
- Simple Security Property (SS Property)
- *-Property (Star Property)
Bell-La Padula
Which property defines that a subject cannot read information from an object of a higher sensitivity label?
- Simple Security Property (SS Property)
- *-Property (Star Property)
Simple Security Property (SS Property)
Which property defines that a subject cannot write information to an object of a lower sensitivity label?
- Simple Security Property (SS Property)
- *-Property (Star Property)
*-Property (Star Property)
Access Models: Which of these access models addresses only the first goal of integrity? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.
Biba
The following two properties represent which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)?
- Simple Integrity Property
- *-integrity Property (Star Integrity Property)
Biba
Which property defines that a subject cannot read information from an object that has a lower integrity level (no read down)
- Simple Integrity Property
- *-integrity Property (Star Integrity Property)
Simple Integrity Property
Which property defines that a subject cannot write information to an object with a higher integrity level (no write up)
- Simple Integrity Property
- *-integrity Property (Star Integrity Property)
*-integrity Property (Star Integrity Property)
Which two access control models use the lattice-based model? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model
Biba and the Information Flow Model
Which access control model addresses all 3 goals of integrity? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Clark-Wilson
Which access control model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) identifies requirements for inputting data based on the following items and procedures?
- Unconstrained Data Item
- Constrained Data Item
- Integrity Verification Procedures
- Transformation procedures
Clark-Wilson
Which access control model ensures that objects and subjects do not see the actions of other objects and subjects on the same system, ie cannot see changes made? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Non-interference model
Which access control model provides access rights to subjects in a DAV system? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Access Matrix Model
Which access control model assigns security classes and values to objects and uses a security policy to direct the flow of information? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Information Flow Model
What is the difference between a brute force attack and a dictionary attack?
A dictionary attack uses a predefined work list
What is the best way to protect against brute force and dictionary attacks?
Protecting Security Account Databases and Password files.
What is the common name for a buffer or stack overflow attack?
Denial of Service Attack