Access Control Flashcards
CIA
Confidentiality, Integrity, Availability
Aceess controls protect against:
Threats such as unauthorized acess, inappropriate modification of data, and loss of confidentiality
DAD
Opposing forces of CIA. Disclosure, Alteration, Destruction
Confidentiality
Seeks to prevent unauthorized read access. Example is PII
Integrity
Seeks to prevent unauthorized modification of information
Two types of Integrity
Data Integrity & System Integrity
Data Integrity
seeks to protect information against unauthorized modification
System integrity
seeks to protect a system from unauthorized modification
Availability
ensures that information is available when needed
AAA
Authentication, Authorization, Accountability
Identity
a claim of who you are (like a username)
Authentication
proving an identity claim (like a password)
Authorization
actions you perform on a system once you have identified and authenticated. May include, read, write, execute files/programs
Accountability
holds users accountable tofr their actions. Typically done by logging and analyzing audit data
Non-Repudiation
user cannot deny having performed a transaction. You must have authentication and integrity to have non-repudiation
Least privilege
users should be granted the minimum amount of access (authorization) required to do their jobs
Need to know
user must need to know that spcific piece of information before accessing it (user must have a business need to access data)
Subject
an active entity on a system. Manipulate objects
Object
Passive data on a system. Do not manipulate other objects
Defense in Depth
applies multiple safeguards (called controls) to protect an asset
Which Access control model is the best?
none, each model is used for a specific information security purpose
What are the primary Access Control Models?
Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Non-Discretionary Access Control
What is DAC?
Discretionary Access Control?gives subjects full control of objects they have been given access to, includeing sharing the objects with other subjects
What is MAC?
Mandatory Access Control?primarily for Gov’t/Military?system-enforced access control based on subject clearance level and object labels
Two types of non-discretionary access control
Role-based Access Control (RBAC) and Task-based access control
What is RBAC?
Role-based Access Control: defines how info is access on a system based on the role of the subject.
Three rules of RBAC?
- Role Assignment 2. Role Authorization 3. Transaction Authorization
Task-based access control
based on the tasks each subject must perform (focuses on specific tasks rather than roles)
Content- and Context-dependent access controls
not full fledged access control methods in their own right, but are part of a defense in depth supporting role
Centralized access control
concentrates access control in one logical point for a system or organization
Decentralized access control
IT administration to occur closer to the mission and operations of the organization. Also called distributed access control
Identity Lifecycle Rules
* password policy compliance checking * notifying users to change passwords before they expire * ID lifecycle changes such as inactive accounts * ID new accounts not used for 10 days * ID suspended accounts * Id all accounts belonging to expired contract
Access aggregation
Individual users gain more access to a system over time as jobs change and permissions aren’t removed
What is RADIUS
Remote Authentication Dial-In User Service: considered an AAA system
What is Diameter
successor to RADIUS; provided an improved AAA framework
What is TACACS and TACACS+
Terminal Access Controller Acces Control System: centralized access control system that requires users to send an ID and password for authentication
PAP?
Password Authentication Protocol referred to not a strong authentication method. Sends password in clear text
CHAP?
challenge handshake authentication protocol: provides protection against playback attacks; depends upon a secret known to authenticator and the peer
3 concepts that affect access control?
- least privilege 2. separation of duties 3. rotation of duties
separation of duties
checks and balances
rotation of duties
requires different staff members to perform the same duty
Describe 3 security labels used by Gov’t
Top Secret: Exceptionally Grave Damage Secret: Serious Damage Confidential: Damage
Clearance
determinate whether or not a use can be trusted with a specific level of information
Rule-Based Access Control
think firewalls. Uses a series of defined rules, restrictions and filters for accessing objects
ACL
Access Control List: list of objects and the subjects that may access that object
6 Access Control Types
- Preventative 2. Detective 3. Corrective 4. Recovery 5. Deterrent 6. Compensating
3 Access Control Categories
- Administrative 2. Technical 3. Physical
Admiministrative Access Control
also called directive; think paperwork
Technical Access Control
implemented using software, hardware, or firmware?think buy/install something
Physical Access Control
implemented with physical devices like doors, locks, guards, dogs, etc
Preventative Access Control
prevent actions from happening; assigning of privileges on a system
Detective Access Control
controls that alert during or after a successful attack; CCTV, bldg alarm system
Corrective Access Control
work by correcting a damaged system or process; think antivirus software and HIDS, NIDS, HIPS, NIPS
Recovery Access Control
restores functionality of a system and organization
Deterrent Access Control
deters users from performing an action; think warning banners and “Beware of Dog” signs
Compensating Access Control
security control put in place to compensate for a weakness in other controls
3 types of authentication methods
Type 1 - Something you know Type 2 - Something you have Type 3 - Something you are
Describe 4 types of passwords
- Static 2. Passphrases 3. One-Time Passwords 4. Dynamic passwords
Strong Authentication
requires users to present more than 1 type of authentication factor
Hashing
one-way algorithm used to verify the integrity of data; uses an algorithm and no key
Dictionary Attack
uses words from a dictionary and runs words through hashing algorithm, then tries to match hash
Brute-force attack
take more time, more effective; calculates the hash of every possible password
Rainbow tables
database that contains the precomputed hashed output for more or all possible passwords
Hybrid attack
appends, prepends, or changes characters in words from a dictionary attack before hashing
Salt
allows 1 password to hash differnent ways by adding a salt before hashing
Synchronous Dynamic Token
use time or counters to synchronize a displayed code with code expected by server
Asynchronous Dynamic Token
not synchronized with central server; commonly challenge-response tokens
Describe FRR, FAR, and CER
as False Reject goes down, False accept goes up. They cross as Crossover Error Rate
Which biometric control has potential health issues
retina scan
Someplace you are
potential use for GPS to allow/disallow service based on where the activity takes place. Think credit cards
Single Sign on advantages
- improved user and developer productivity - simplified admin
single sign on disadvantages
-difficult to retrofit - unattended desktops - single point of attack
FIdM
Federated Identity Management; applies SSO at a much wider scale from cross-org to Internet
Kerberos
thid party authentication service that may be used to support SSO; uses KDC, TGS, TGT, Principal, Realm, Ticket, Credentials, C/S
Principal
client (user) or service in Kerberos
Realm
logical Kerberos network
Ticket
data that authenticates a principal’s identity in kerberos
Credentials
a ticket and a service key in kerberos
KDC
Key distribution center which authenticates principals–pivotal piece of kerberos
TGS
Ticket granting service
TGT
ticket granting Ticket, good for a site-selected specific lifetime; allows typical uer to authenticate once and access network resources for the lifetime of the ticket
C/S
client/server in kerberos
Kerberos strengths
provides mutual authentication of client server; mitigates replay attacks via use of timestamps
kerberos weaknesses
stores keys of all principals, replay attacks still possible
SESAME
Secure European Ssytem for Application in a Multivender Environment; SSO supporting heterogeneous environment; addes to kerberos; uses Privilege Attribute Certificates (PAC)
Security Audit Logs
easiest way to verify access control methods are working. Primarily a detective control
5 distinct problems of audit logs
- logs not reviewed 2. logs/trails not stored long enough 3. logs not standardized or viewable 4. log entries/alerts not prioritized 5. logs reviewed only for “bad” stuff
Types of attackers
hackers, black/white hats, script kiddies, outsiders, insiders, hacktivist, bots/botnets, phishers/spear phishers
Zombie
aka bot (computer system running malware controlled via botnet)
vishing
automated voice scripts over a VoIP network
penetration testing
white hat hacker trying to see if a black hat hacker can get into the system
types of penetration testing
zero-knowledge/black box, full-knowledge/crystal-box, partial-knowledge
