Access Control Flashcards
Is a passive entity (system or process) a subject or an object?
Object
Is an active entity (individual or process) a subject or object?
Subject
Which type of control is used to reduce risk?
Preventative, deterrent, corrective, recovery, detective, compensating, directive
Preventative
Which type of control identifies violations and incidents?
Preventative, corrective, detective, compensating, recovery, deterrent, directive
Detective
Which type of control is used for re mediating violations and incidents and improving preventative and detective controls?
(Preventative, detective, deterrent, corrective, compensating, recovery, directive)
Corrective
Which control is used for discouraging violations?
Preventative, corrective, deterrent, recovery, detective, compensating, directive
Deterrent
Which type of control is used for restoring systems and information?
(Preventative, detective, deterrent, corrective, recovery, compensating, directive)
Recovery
Which of these determines whether a subject can login?
Authentication, Authorisation, Accountability
authorisation
Which control provides alternative ways of achieving a task?
Preventative, corrective, recovery, compensating, detective, deterrent, directive
Compensating
Which of these determines what a subject can do? Ie access rights and permissions? (Authentication, authorisation, accountability)
Authorisation (or establishment)
What is non-repudiation?
It means that a user can’t deny an action because their identity is positively associated with their actions
Which of these determines what a subject did?
Authorisation, authentication, accountability
Accountability
For the CISSP exam is an ATM card considered 2FA?
Yes
How many characters does a password have to be for it not to be stored in AD or local SAM (Security Account Manager)?
15 or longer
Biometrics: what is a one to one search?
Identify matched against an image file
Biometrics: what is a one to many search?
Identity matched against a database of identities
Which type of authentication system is a false reject rate or type 1 error used?
Biometric system
Note for exam: is biometric authentication considered 2fa?
No
What is a false reject rate (FRR) or type 1 error?
The percentage of authorised users to whom a system incorrectly denies access
What is a false accept rate (far) or type 2 error?
The percentage of unauthorised users to whom the system incorrectly grants access
In biometrics what is the crossover error rate (CER)?
The point at which the false accept rate equals the false reject rate
Which of these is considered the most important in biometric system accuracy? (False accept rate, false reject rate, crossover error rate)
Crossover error rate
CISSP answer: what is the most common difficulty about implementing a biometric system?
User acceptance
Generally accepted standards for biometric systems Accuracy = Speed = Throughput = Enrolment time =
Accuracy = crossover error rate less than 10%
Speed = 5 seconds
Throughput = 6 to 10 per minute
Enrolment time = less than 2 mins
What is the difference between a finger scan system and finger print system?
Finger scan systems don’t store an image of the finger print, but rather a digitised file describing its unique characteristics
What are the two benefits of a finger scan system over a finger print system?
- Less storage and processing resources
- greater user acceptance as image of fingerprint not stored ie concerns with privacy
What is a hand geometry system?
Digitise image recording length, width, height and other unique characteristics of hand and fingers
Biometrics: what is the difference between a retina pattern and iris pattern?
Retina pattern records unique pattern in the vascular elements of the retina
Iris pattern records unique patterns of the colour portion surrounding the eye.
What is the most secure biometric system?
Fingerprint/scan, hand geometry, iris pattern, retina pattern, signature, voice recognition, keystroke dynamics
Iris pattern
Two examples of one time passwords are:
- tokens
- s/key protocol
What are the 3 general types of tokens?
- static password tokens
- synchronous dynamic password tokens
- asynchronous (challenge-response) dynamic password tokens
Which type of token is a digital certificate?
- static password token
- synchronous dynamic password token
- asynchronous dynamic password token (challenge-response)
Static password token
Which type of token uses fixed time intervals?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token (challenge-response)
synchronous dynamic password token
Which type of token uses challenge-response?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token
Asynchronous dynamic password token
Name a third party ticket based solution that uses SSO
Kerberos (symmetric key authentication protocol)
Basic Kerberos Operation
- Client prompts subject for username/password. Using password client temporarily generates and stores secret key and sends username to the KDC (key distribution centre’s) AS (authentication server)
- AS verifies that user exists in KDC database. KDC Ticket Granting Service (TGS) generates a client/TGS session key encrypted with subject secret key. TGS generates Ticket Granting Ticket (TGT) consisting of subjects identification, client network address, time period of ticket and client /TGS session key. TGS encrypts TGT using secret key and sends client /TGS session ket and TGT to client.
- Client decrypts client/TGS session key using secret key generated by subjects password, authenticates user and erases stored secret key. Client can’t decrypt TGT which TGS encrypted using TGS secret key.
- When subject requests access to object (server), it sends the TGT, object identifier (server name) and an Authenticator to the TGS on the KDC. Authenticator is separate msg containing client iD and time stamp and uses client/TGS session key to encrypt itself
- TGS on KDC generates both client/server session keyhole to encrypts using client/TGS session key which consists on subject ID, Client Network Address, time stamp, client/server session key. TGS encrypts service ticket using secret key of object (server). TGS sends client/server session key and service ticket to client.
- Client decrypts client /server session key using client/TGS session key. Client can’t decrypt service ticket which TGS encrypted using secret key of object (server)
- Client then communicates directly with server. Client sends service ticket and an Authenticator to server. Client encrypts Authenticator consisting of subject ID and time stamp using client/server session key that TGS generated. Server decrypts service ticket Using its secret key. Service ticket contains client/server session key which allows server to decrypt Authenticator. I’d subject ID and time stamp are valid (according to sub ID, client net add and valid period specified in service ticket) then comms between client/server is established. Client/server session key used for secure comms between subject and object
Two common issue with using SSO
- grants access to entire network and systems with single password
- doesn’t always integrate well in different systems
In Kerberos, what is a session key?
A dynamic key that is generated when needed, shared between two principals and then deleted when no longer needed
In Kerberos, what is a secret key?
A static key used to encrypt a session key
What does SESAME stand for?
Secure European Systems and Applications in a Multi-Vendor environment
Which ticket based system uses symmetric and asymmetric cryptography to distribute secret keys and securely transmit data?
Kerberos or SESAME
SESAME
Which ticket based system uses public key cryptography to communicate between different organisations or security domains?
SESAME
Which ticket based system has the following security flaws? (Kerberos, SESAME, KryptoKnight)
- it uses an XOR function for encryption
- it performs authentication based on a small segment of a message instead of entire message
- it’s key generation is not very random
- it’s vulnerable to password guessing attacks
SESAME
Which ticket based system provides peer to peer relationships between the KDC and it’s principals, provides two party authentication, key distribution and data integrity services?
(Kerberos, SESAME, KryptoKnight)
KryptoKnight
Which ticket based system can function at any layer of the OSI model and doesn’t use clock synchronisation?
(Kerberos, SESAME, KryptoKnight)
KryptoKnight
What is a nonce?
A number used once, randomly generated that can only be used once to authenticate a session?
What are three examples of ticket based technologies that provide SSO services?
Kerberos, SESAME, KryptoKnight
Which two methodologies generally define access controls?
- centralised
- decentralised
Remote Access Service (RAS) utilises the Point to Point Protocol (PPP). Which 3 types of centralised authentication types use this?
PAP - Password Authentication Protocol
CHAP - Challenge Handshake Authentication Protocol
EAP - Extensible Authentication Protocol
Which authentication protocol uses a two way handshake to authenticate with a peer to peer server?
PAP, CHAP or EAP
PAP
Which authentication protocol transfers passwords in clear text and is susceptible to replay and brute force attacks?
PAP, CHAP or EAP
PAP
Which two types of packets are used by a two way handshake?
Synchronise and Acknowledgement
Which authentication protocol uses a 3 way handshake?
PAP, CHAP or EAP
CHAP
Which authentication protocol uses Shared Secrets?
PAP, CHAP or EAP
CHAP
What enhancement to CHAP allows for a shared secret to be stored encrypted using a MD5 one way hash function.
MS-CHAP
Which authentication protocol utilises multiple authentication mechanisms including MD5-challenge, S/Key, generic token cards, digital certs, etc.
PAP, CHAP or EAP
EAP
Which authentication protocol does a wireless network commonly implement?
PAP, CHAP or EAP
EAP
Which Authentication protocol uses UDP at the Application Layer and allows for authentication, authorisation and accountability (AAA)?
RADIUS
What are the benefits of the next generation RADIUS protocol, Diameter?
- Uses TCP
- Uses Stream Control Transmission Protocol (SCTP)
- Uses IPSec or TLS rather than PAP or CHAP
What are the benefits of the authentication protocol TACACS (Terminal Access Controller Access Control System)?
Supports various authentication mechanisms and allows more granular authorisation parameters
LDAP, RAS (PAP, CHAP, EAP), RADIUS, Diameter, TACACS are all type of what system for remote access?
Centralised or decentralised?
Centralised
Which type of access control system would would describe a database or multi domain or trust environment?
Centralised or decentralised?
Decentralised
Data access controls fall into 2 categories. What are they?
Discretionary and mandatory
If an access control is Discretionary who determines the policy? owner or system.
Owner
File/data ownership and access right/permission are an important concept of which access control technique? Discretionary or Mandatory
Discretionary
What are the 3 basic access rights?
Read, Write and Execute
What is an access control list (ACL)?
Defines the access rights/permissions that a subject has on an object
ACL’s and role based controls are techniques used for which type of access control? Discretionary or Mandatory.
Discretionary
The following are 3 disadvantages to using which type of access control method? Discretionary or Mandatory?
- lack of centralised admin
- reliance on resource owner defining controls
- difficult to audit due to large number of logs generated
Discretionary
Which type of access policy is determined by the system? Discretionary or Mandatory.
Mandatory
Sensitivity labels and Data Import/Export are two important concepts of which type of access control? discretionary or mandatory?
Mandatory
Which model users a mathematical structure that defines greatest lower bound and least upper bound values for a pair of elements, ie subject and object. (Could be used to determine least level of privilege to access a set of files. Rule-based or lattice-based?
Lattice-based
lattice-based is an access control methods for which type of access? Discretionary or Mandatory?
Mandatory
The following disadvantages are akin to which type of access control? Discretionary or mandatory?
- user frustration
- difficult to implement and program
- not flexible
Mandatory
Access Models: Which of these access models was purely developed for confidentiality? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.
Bell-La Padula
The basic premise of which access model is that information cannot flow downward? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model
Bell-La Padula
Which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) do the following two properties relate to:
- Simple Security Property (SS Property)
- *-Property (Star Property)
Bell-La Padula
Which property defines that a subject cannot read information from an object of a higher sensitivity label?
- Simple Security Property (SS Property)
- *-Property (Star Property)
Simple Security Property (SS Property)
Which property defines that a subject cannot write information to an object of a lower sensitivity label?
- Simple Security Property (SS Property)
- *-Property (Star Property)
*-Property (Star Property)
Access Models: Which of these access models addresses only the first goal of integrity? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.
Biba
The following two properties represent which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)?
- Simple Integrity Property
- *-integrity Property (Star Integrity Property)
Biba
Which property defines that a subject cannot read information from an object that has a lower integrity level (no read down)
- Simple Integrity Property
- *-integrity Property (Star Integrity Property)
Simple Integrity Property
Which property defines that a subject cannot write information to an object with a higher integrity level (no write up)
- Simple Integrity Property
- *-integrity Property (Star Integrity Property)
*-integrity Property (Star Integrity Property)
Which two access control models use the lattice-based model? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model
Biba and the Information Flow Model
Which access control model addresses all 3 goals of integrity? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Clark-Wilson
Which access control model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) identifies requirements for inputting data based on the following items and procedures?
- Unconstrained Data Item
- Constrained Data Item
- Integrity Verification Procedures
- Transformation procedures
Clark-Wilson
Which access control model ensures that objects and subjects do not see the actions of other objects and subjects on the same system, ie cannot see changes made? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Non-interference model
Which access control model provides access rights to subjects in a DAV system? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Access Matrix Model
Which access control model assigns security classes and values to objects and uses a security policy to direct the flow of information? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Information Flow Model
What is the difference between a brute force attack and a dictionary attack?
A dictionary attack uses a predefined work list
What is the best way to protect against brute force and dictionary attacks?
Protecting Security Account Databases and Password files.
What is the common name for a buffer or stack overflow attack?
Denial of Service Attack
Vulnerabilities in the IP protocol can be exploited by which type of attack?
Teardrop Attack
What is the best way to protect against a buffer/stack overflow/denial of service attack?
Identify and patch vulnerabilities in the system/network/applications.
What is the difference between a Man in the Middle Attack and Session Hi-jacking?
In session hi-jacking the attacker impersonates the intended recipient instead of modifying messages in transit
John the Ripper and LophtCrack are both commonly used for which type of attack?
Dictionary Attack
Using two factor authentication or an account lockout policy can protect against which types of attacks?
Brute Force and Dictionary Attacks
What four common tactics should be deployed to protect against Access Control Attacks?
Vulnerability Analysis
Threat Modelling
Asset Valuation
Access Aggregation
What is another name for ensuring a security specification is created and tested during the design phase to identify likely threats, countermeasures, vulnerabilities, etc?
Threat Modeling
What is another name for combining user access rights, permissions, privileges in single or multiple systems ie SSO?
Access Aggregation
Which pen test term defines the probing of a system to determine which TCP/IP ports are running on the system?
Port Scanning
Which pen test term defines the process of scanning an online application for an vulnerabilities or weaknesses?
Application Scanning
In which type of testing does a tester have no prior knowledge of the system he/she is testing?
- black box testing
- white box testing
- grey box testing
Black box testing
Which pen test term defines the process of scanning a network for any host computers?
Host Scanning
What is an allow by default policy?
allowing access to any information unless there is a specific need to restrict that access
A deny by default access control philospohy is commonly used by government/military organisations and commercial enterprises. What is this?
any access that is not specifically permitted is denied
What should be the first step for an access control strategy?
defining a core philosophy, ie allow by default or deny by default
What is a general 3 step process for determining access controls?
- Defining resources
- Determining users
- Specifying the users’ use of the resources
An organisation should have multiple access control strategies. True or False?
False
What should be the first element of an effective access control program?
to establish an access control policy and associated standards and procedures.
What is the primary objective of separation of duties?
to prevent fraud and errors
What should be the first action to employ separation of duties in a process or work function?
define the individual elements of the process
Which two factors must be addressed in determining the applicability of separation of duties?
- the sensitivity of the function under consideration
- the elements within a process that lend themselves to distribution
What are 4 important concepts when defining user access control?
- Least Privilege: user or process given no more access privilege than necessary to perform a job/task/function
- Need to know: access to information based on job or business requirements
- Compartmentalisation: the process of separating groups of people and information from other groups.
- Security Domain: based on trust between resources or services in areas or systems that share a single security policy, ie a subject can only access an object in an equal or lower domain. uses a hierarchy.
What should be the first 2 steps when developing a information classification program?
- Determine the program objectives
2. Establish organisational support
Who in the business is responsible for information classification?
Information Owner (normally someone in a business unit that understands the information in the area of their business.
What are the 4 common levels of information classification used by most organisations?
- Public (sometimes referred to as unclassified)
- Internal Use Only
- Confidential - trade secrets, privacy of individuals (may also be called top-secret, privileged, personal, sensitive, highly confidential)
- Restricted (if released could cause irreparable harm to the organisation) - only suitable for a select few individuals such as “C” level executives.
Which of the CIA principles should still be considered in relation to public classified information?
Availability
What does aggregate data mean in relation to information classification?
Data when taken alone is of low sensitivity, but when combined with other data is of high sensitivity.
Name 7 access control requirements that should be considered?
- Reliability: must give consistent results
- Transparency: must be transparent to end-user. the less user interaction the better
- Scalability: should ensure a system can accommodate future growth
- Integrity: ensuring only authorised personnel have access to administrative functions of the system.
- Maintainability: administrative effort required to maintain the application
- Authentication Data Security: user identities, passwords, access capabilities, etc. (data encryption, system & file level access controls, strong authentication for admin functions)
- Audibility: authentication requests, data access attempts, changes to privileges and exercise of administrative capabilities.
Which type of control is used to specify acceptable rules of behaviour?
(Preventative, deterrent, corrective, recovery, detective, compensating, directive)
Directive
What are the 7 main categories of access control?
Directive Deterrent Recovery Compensating Preventative Corrective Detective
A security policy can be considered which type of access control? Directive Deterrent Recovery Compensating Preventative Corrective Detective
Directive and deterrent
A user registration procedure would be considered which type of access control? Directive Deterrent Recovery Compensating Preventative Corrective Detective
Preventative
Termination would be considered which type of access control? Directive Deterrent Recovery Compensating Preventative Corrective Detective
Corrective
Supervision would be considered which type of access control? Directive Deterrent Recovery Compensating Preventative Corrective Detective
Compensating
Job rotation would be considered which type of access control? Directive Deterrent Recovery Compensating Preventative Corrective Detective
Compensating
Logging would be considered which type of access control? Directive Deterrent Recovery Compensating Preventative Corrective Detective
Compensating
Keystroke Monitoring would be considered which type of access control? Directive Deterrent Recovery Compensating Preventative Corrective Detective
Compensating
A fence would be considered which type of access control? Directive Deterrent Recovery Compensating Preventative Corrective Detective
Preventative
Which type of control can cover all 7 access control categories?
CCTV
Categories of access controls can be implemented in what 3 ways?
Administrative (sometimes called management controls
Logical (sometimes called Technical controls)
Physical (sometimes called operational controls)
Maintaining an authorisation process and a record of all privileges is known as what?
Privilege Management
The ability to restrict access to systems based on a network wide policy is known as what? Involves querying a system to ensure it is adhering to established policies, ie AV on the system.
Network Access Control (NAC)
What is a race condition?
Where two or more processes are waiting for the same resource.
What is a hash?
A one-way mathematical function that cannot be reversed.
In relation to access permission what does (C) Change provide?
Read, write, execute and delete. may not change file permission.
What is non-discretionary access control?
based on the assignment of permission to read, write and execute files on a system, however unlike discretionary access controls, which allows the file owner to specify those permissions, non-discretionary access control requires the admin of a system to define and control the access rules for files in the system.
ACL’s typically have two basic pieces of data. What are they?
a keyword pattern and an action taken if the keyword is matched.
An ACL in the form of a table is known as what?
An access control matrix
Rule based access are most commonly associated with which type of access control? DAC or MAC
DAC because the system owner typically develops the rules based on the organisation or processing needs.
Role based access control can be applied using both DAC and MAC. true or false?
True
DAC by owner
MAC by system
What are the 4 basic role based access control architectures?
- Non-RBAC: user granted access to data using ACL’s. no role based model
- Limited RBAC: mapped to roles within an application (users of this system are also able to access non-RBAC based apps or data)
- Hybrid RBAC: role is applied to multiple apps where apps subscribe to the organisations role based model
- Full RBAC: all app access controlled by organisations role based model
What is content dependent access control?
access control based on value of data, ie data may be assigned a department number that only staff within that department can access. User access to a piece of data can change if the data is changed as opposed to the user role changing.
What type of access control is Constrained User Interface?
user restricted to specific functions on a system based on their role within that system. common on devices such as an ATM.
What is an advantage of using the Constrained User Interface access control model?
can limit the potential avenues of attack and system failure by limiting the processing options available to a user.
A database ‘View’ is a common example of which type of access control?
Constrained User Interface
What is a capability table?
Matches subject and their capabilities against system objects and the ability to use those capabilities on those objects.
What is temporal (time-based- isolation?
Activities performed at a given time for a pre-determined duration. can extend to system processing when certain jobs are only performed during certain times of the day.
What is an important caveat when using temporal access controls?
care must be taken if an organisation is spread across multiple time zones
The assertion of a unique identity for a person is known as what?
Identification
Binding a user to the appropriate controls based on based on that unique user instance is an objective of what? Identification, Authentication or Authorisation?
Identification
What is IAA in relation to access control?
Identification (provides uniqueness)
Authentication (provides validity)
Authorisation (provides control)
How many bits is a MAC address?
48bit represented in a hexadecimal format
Is a MAC address considered a strong identifier or authenticator?
No because most network-enabled devices allow the MAC to be stored in software instead of hardware meaning the MAC can be altered.
Should an IP address be used as an identifier alone?
No, because it is stored in software and can be altered.
What is a Radio Frequency Identification Tag (RFID)?
small label that can be embedded in objects such as passports, consumer goods, even humans.
How does an RFID tag work?
When the tag comes within the proximity of the reader, the reader reads the information from the tag and determines the identity of the object
What is the main concern with using RFID tags in passports?
Privacy concerns, because tags can be read from a distance, there are concerns that an individuals information may be taken without their consent.
Should an email address by used alone as a unique identifier?
No
What are the 3 essential security characteristics regarding identities?
Uniqueness
Non-descriptiveness
Secure issuance
What is the key difference between the Unix ‘root’ account and Windows Admin account?
Windows Admin account can be changed to a different name.
What is the goal of an identity management system?
to consolidate access right into an easily managed record of identity and access for each user in a system
In an identity management system, what is the best way of managing ID’s for contractors, business partners, etc?
segment these users into their own group.
What is the benefit of using centralised identity management?
- can enforce organisation wide control over identity allocation. promotes consistency of policy. helps with leavers process
What is the main issue with using centralised identity management?
access needs of departments, regional office can be different. political or legal reasons also a factor depending on region.
What is the advantage and disadvantage of a de-centralised identity management system?
Advantage is that local managers have a better sense of user requirements in their area.
Disadvantage is that it’s difficult to enforce a central policy. can also be more expensive and can cause conflicting rights on shared resources.
In authentication there are traditionally 3 factors. What is the 4th one?
Geo-location
In relation to Geo-location, what does the term apparent location mean?
An IP address is not a foolproof method of geo-location.
What are the 3 basic types of character passwords?
Standard Words Combination passwords (includes numbers) Complex passwords (includes non-alphanumeric)
What is a more secure alternative to a password when using single factor authentication?
Passphrase
What is a Graphical Password?
an image or sequence of images used as password
What two types of static authentication devices exist?
Memory cards and smart cards
What is the main difference between a memory card and smart card authentication device?
availability of processing power. a memory card can hold information but not process it whereas a smart card can do both
What is a common example of a memory card?
A swipe card
What is the main weakness with a memory card?
Data is stored unprotected
What is an ISO term for a smart card?
Integrated Circuit (IC) Card
What are the advantages of using a smart card over a memory card?
- can hold more data than memory cards
- can provide secure login, secure email, digital signatures, secure web/remote access, VPN, Hard disk encryption
- login process is done by reader instead of at host so the identifier and password is not exposed whilst in transit to the host.
What is a trusted path?
A communications channel through which all information passing through is deemed to be secure.
Which type of memory does a smart card use?
Electrically Erasable Programmable Read Only Memory (EEPROM)
What two types of smart cards are there?
Contact and contactless
List of typical smart card pinouts
Vcc - power connection RST - reset line CLK - clock signal (controls operation speed) RFU - reserved for future use GND - Ground Line Vpp - Programming power I/O - Input/Output line for comms with reader RFU - Reserved for future use
What are the two types of biometrics?
Physiological and behavioural
What are the most common biometrics used?
Fingerprints
What is a vascular scan?
studies the veins in the user’s hand or face
What are 3 types of behavioural biometrics?
Signature Dynamics
Keystroke Dynamics
Voice Pattern
What are 5 ways of protecting desktop sessions?
Screensavers Timeouts Automatic Logouts Session/Login Management (multiple devices) Schedule Limitations (time based)
Typical example of a login session to a banking website:
- user navigates to website which starts session
- users click’s secure login which is then encrypted using SSL
- user authenticates and information is passed through the encrypted session
- user log’s off an session is terminated.
Session hi-jacking is a form of which type of attack?
Man in the middle attack
What is arguably the most significant aspect of ensuring accountability in access control systems?
Culture of the organisation. must be supported at the top level of the organisation
What are the 4 most common directory technologies?
X500
the Lightweight Directory Access Protocol (LDAP)
Active Directory
X400
What are the characteristics of the X500 protocol?
- Developed by ITU-T and also known as ISO/IEC 9594
- originally developed for telecommunications companies
- consists of 4 protocols: DAP, DSP, DISP and DOP
- organised as a hierarchical database of information
Which of the following protocols is the primary one used by X500?
Directory Access Protocol (DAP)
Directory System Protocol (DSP)
Directory Information Shadowing Protocol (DISP)
Directory Operational Bindings Management Protocol (DOP)
DAP
What is the key field used by the X500 directory and what does it provide?
The Distinguished name (DN) which provides the full path through the X500 database where a particular entry may be found.
What is the opposite of DN in an X500 directory?
RDN (relative distinguished name) which provides the name of a specific entry without the full path component attached.
What is the main disadvantage of X500?
complex to implement and complicated to administer
Which protocol in the X500 suite is LDAP based on?
DAP
What is the main benefit of LDAP over X500?
provides a simpler implementation of directory services for enterprises that operates in a TCP/IP environment
What are the characteristics of LDAP?
- uses a hierarchical tree structure for directory entries and also supports DN and RDN concepts.
- Common attributes for a LDAP entry include the following: DN, CN, DC, OU
- operates in a client/server architecture
- typically runs over unsecured network connections using TCP port 389
- version 3 of the LDAP protocol supports the use of TLS to encrypt communications
- can also use SSL via TCP, port 636.
What is Active Directory?
An implementation of the LDAP protocol for Microsoft based environments
- provides authentication and authorisation capabilities on an enterprise wide level.
- can enforce organisational security and configuration policies.
- AD uses LDAP for its naming structure
- AD directories are organised into forests and trees
- Domains identified by DNS name and objects by OU’s
What is a forest in relation to AD?
a collection of all the objects and their associated attributes
What is a tree in relation to AD?
logical groupings of one or more AD security domains within a forest.
What is X400?
predecessor to SMTP thats also known as Message Handling System (MHS)
What is Perimeter based web portal access?
LDAP integration with web based apps to provide authentication
In a Perimeter Bsed Web Portal Access solution, what handles the user authentication state?
WAM (Web Access Management)
What does a Federated Identity Management system provide?
authentication between different organisations that may share the same apps or users.
A Federated Identity Management System can provide two basic processes for linking the member organisations together. What are they?
Cross-certification model: each organisation must individually certify that every other participating organisation is worthy of trust.
Trusted third party or bridge model: participating organisations subscribe to standards and practicies of a third party that manages the verification
What is the benefit of a trusted third party model over a cross certification model?
Don’t have to maintain individual trusts with every organisation. one organisation verifies all connecting organisations.
What is a “Once In-Unlimited Access” model?
Users authenticates once and then has access to all the resources participating in the model. could be used on a intranet.
What is a drawback of the “Once In-Unlimited Access” model?
an assumption on each participating system that user authentication and authorisation was properly handled before access was granted.
What are the 5 key types of logging that are the foundation of security auditing?
Network Events System Events Application Events User Actions Keystroke Activity
What is a Multi-Host Intrusion Detection System?
allows systems to share policy information and real-time attack data.
What is a drawback of using a Host IDS?
can be very invasive to the host OS and can consume a lot of memory on the host and interfere with processing.
What is Stateful Matching Intrusion Detection?
scans for attack signatures in the context of a stream of traffic or overall system behaviour rather than looking at individual packets or discrete behaviour
How can an attacker evade Stateful Matching Intrusion Detection?
by sending packets from multiple locations or with long wait period between each transmission. signatures must also be updated.
What is Protocol Anomaly Based Intrusion Detection?
identifies unacceptable deviation from expected behaviour of known protocols, ie HTTP.
What is a weakness of Protocol Anomaly Based Intrusion Detection?
if custom or non-standard protocols are used.
What is a Traffic Anomaly Based Intrusion Detection System?
identifies any unacceptable deviation from expected behaviour based on traffic structure.
What is a weakness of Traffic Anomaly Based Intrusion Detection System?
relies on the ability to establish normal patterns of traffic
What are the 3 fundamental components of IDS alarm capability?
Sensor: detection mechanism
Control and Communication: handling alert information
Enunciator: relay system - alert local resources
What is SIEM (Security Information and Event management)?
a group of technologies which aggregates information about access controls and selected system activity. real time reporting on events and incidents as they occur in network and information systems.
What are two types of spyware?
Malvertisements: web advertisements which appear legitimate
Malnets: infected nodes clustered together such as websites, desktop, laptops, etc. to launch further attacks.
What is the unused space in the cluster after where data has been written called?
Slack space
Why does deleting data from a disk or formatting a disk not remove the data?
In these scenarios information is simply removed from the FAT table signifying that those clusters are now available for use. Actual data still physically resides on the drive, waiting to be found or until new data has been written to the cluster. Data will remain in slack space until entire cluster is overwritten.
In what way can slack space be used by an attacker?
Attacker can use a tool that writes information only to the slack space from available clusters such as malicious code which will be hidden from the user.
What 3 things should a tool erase to ensure everything is deleted from a hard disk?
the data
the files directory entry
the files FAT entry
What is data mining?
The statistical analysis on general information in the absence of specific data
What is Access Aggregation?
the act of collecting additional roles and responsibilities in an organisation.
What is User Entitlement in relation to access control?
the action of provisioning resources to a user, ie mapped drives. Changing roles can aggregate this entitlement.
What are the steps in the Identity and Access Provisioning Lifecycle?
- Provisioning
- Review
- Revocation
What is the first line of a defence in depth strategy?
Access Control
