Access Control Flashcards
Provide an example of a “Subject” and an example of an “Object”
Subject - Anything operating on something else
Object - The thing being operated on
Definition of Access Control
Any hardware, software, administration, or process that performs the following tasks:
- Identifies users or subjects attempting to access resources
- Determines if access is authorized
- Grants or restricts access
- Monitors and records access activities
Can a subject be an object and then change repeatedly?
True
Explain Users vs Owners
User accesses and object and an owner determines which users can access the object.
There can be only one owner but multiple users
What is the CIA Triad?
C - Confidentiality… Can we keep the wrong people out?
I - Integrity… ensure only authorized changes occur
A - Availability… Is it available when I need it?
What is the difference between rights and permissions?
Interchangeable… but a permission seems to be a lower level authorization and rights tends to be higher level (system wide).
What are privileges?
The combination of rights and permissions (whole assembly).
What are the 7 types of access control?
Preventive - Gates, fences, passwords, biometrics
Detective - log analysis, CCTV (after the fact)
Corrective - Modification after something happened
Deterrent - Policies, signs, etc
Recovery - Repairs/ fixes made to fix
Directive - Signs, manuals, supervisors
Compensation - Compensating
What are Administrative Controls
Policies, procedures, hiring practices, etc
What are logical/ technical controls
Hardware or software controls (usernames, passwords or biometrics)
What are Physical Controls
This that can be physically interacted with (door locks, mantraps, etc)
What is a defense in depth strategy?
The use of multiple layers (typically three)
- Administrative
- Logical/ technical
- Physical
What are the elements of access control?
Authentication - Proof of a claimed identify
Authorization - Subject is granted access to objects on a proven identity
Accountability - Auditing to track subjects use of objects
What are the three types of Authentication?
- Something you know (password)
- Something you have (token) (somewhere too)
- Something you are (finger prints)
Effective accountability relies on which two of the three: Authentication, authorization, identification
Authorization - We just need to know who they are (reliably) and that they got in appropriately. Logging should cover whether or not it was properly authenticated.
Name several “good” authentication techniques
Passwords, god password selection, password aging, password complexity, password history
Name some examples of cognitive passwords
Date of birth, mothers maiden name, first pet
Are cognitive passwords effective?
Not in the age of social engineering
Explain a synchronous dynamic password token
Device that generates a token at the same time a synchronized server generates the same token. usually requires a time server to keep the two in sync.
Explain an asynchronous dynamic password token
a token is generated after a password is entered into the device.
Explain a static token
Could be a USB key that is inserted into a computer.
Define some biometric controls based on order of accuracy
Retina - Seen as bad because it can display health issues Iris - Does not change over time but can be spoofed with high quality image Fingerprint - Can be spoofed Face Finger/ Palm Heart/ Pulse Voice Pattern - issues with consistency Keystrokes - Not accurate
What is FRR?
False Rejection Rate(false negative)
What is FAR?
False Acceptance rate(False positive)`
What is worse (FAR or FRR)
FAR - False Authorization
What is CER
Crossover error rate - rate at which the FAR & FRR are balanced.
A higher CER means that the solution is less accurate compared to a system with a lower CER.
Explain CER sensitivity
Strategy to dial in the accuracy of biometrics. We may de-tune the system to provide more false rejections. This means we do not mind annoying people.
What is multi factor authentication?
The use of multiple Authentication Types (type1, type 2, type 3).
What are the principles of security operations?
Need to Know
Least Privilege
Separation of duties
Explain DAC.
Discretionary access controls… Method to allow Object owner the ability to control and define Subject access to the Object.
Provide an example of Non-discretionary access
Systems like SAP & Oracle user ND. This is where roles are used that can allow central system-wide changes.
Explain rule based access
Rule based systems are appropriate for environments with constant changes to data permissions.
Where is lattice based security appropriate?
In an environment where the Object is refined over a period of time and Subject access can change as the Object is refined.
Explain Mandatory Access Controls and provide an example.
It employs the use of attributes to define the Object.
Name the core elements of Kerberos
Key Distribution Center (KDC)
Kerberos Authentication Server (KAS)
Ticket Granting Ticket (TGT)
Ticket
Where is federated SSO used?
When trying to link multiple non related environments/ systems/ companies
What are the AAA Protocols
Authentication
Authorization
Accounting
When is Radius used?
In connecting external locations via telecom links
When is Diameter more appropriate than Radius
In mobile environments
Name multiple Authorization Mechanisms
Implicit Deny
Access Control Matrix
Constrained interface
What is the Identity & Access Lifecycle
- Provisioning
- Regular Review
- De-provisioning
What is the difference between authentication, authorization, and identification?
Subjects claim an identity
Subjects prove their identity via authentication
Subjects interact with Objects via authentication
What is SPML
Service Provisioning Markup Language - XML based method of federated SSO.
What technology uses software to manage access to resources?
software/ technical.
What is NOT needed for system accountability?
Authentication.
What is an Access Control List based on?
Subjects
What is not needed for SSO? A. Kerberos B. Federated Identity C. TACAS D. SPML
TACAS
