Access Control Flashcards
Access Control Concepts
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Prevents disclosure of data
Integrity
Ensures data is protected from corruption or unauthorized modification
Availability
Ensures data accessible when and where it’s needed
Access Control Concepts
Default Stance (default allow or default deny)
Defense in Depth
Default stance is either an allow by default, or deny by default
Deny by default is recommended because it’s stricter
Defense in depth is the practice of using layers of security between the data and the resources it resides on, and attackers
Access Control Process
Identify Resources, Users, Relationships between them
ID resources which need protection How are they accessed Which data on the resources will be accessed Who will be accessing this data
ID Users
Document user levels and needs
Analyze needs against organizational polices, legal issues, data sensitivity and risk
Identification and Authentication
Identification
act of user professing an identity, ie a user ID or username
authentication
validating a user with a unique identifier by providing credentials like a password
3 Factors for Authentication
Knowledge
Ownership
Characteristic
Knowledge - something user knows, ie password
Ownership - something user possesses - smartcard
Characteristic - something a person is
Knowledge Factors (Type 1 Factor)
Most popular form is a password
Also includes birthday, PIN, mother’s maiden name
If knowledge factor is used, identity (account) and password word management are crucial
Identity and Account Management
5 elements of proper account management
Establish formal process for establishing, issuing, closing user accounts
Periodically review user accounts
Implement process for tracking access authorization
Periodically prescreen personnel in sensitive positions
Periodically verify legitimacy of user accounts
Password Types and Management
Standard Combination Static Complex Passphrase
Standard - single words
Combination (composition)- mix of two unrelated words
Static - remains same for each login. Most often seen in P2P networks
Complex - mix of upper, lowercase letter, numbers, special characters
Passphrase - a long phrase
Password Types and Management
Cognitive
One Time Passwords (dynamic)
Graphical
Numeric
Cognitive - piece of information, usually a series of questions based on user’s life (first car, favorite color)
OTP - only used once
Graphical - uses pictures, like CAPTCHA
Numeric - only has numbers, easier to guess because possibilities are known
Password Policies
Password Life Password history Authentication period - how long user can stay logged in Password complexity Password length
Password Types and Management
(Knowledge Factors)
password locations and default accounts
Linux, UNIX
Windows
/etc/passwd
/etc/shadow (protected)
root account
c:\windows\system32\config\SAM
administrator and guest accounts
Password Types and Management
Ownership Factors, Type 2 authentication factor
Tokens
Memory Cards
Memory Cards
Smart Cards
Synchronous token generates unique password at fixed time intervals with the authentication server
Asynchronous token generates password based on challenge/response, with token generating correcting response to server’s challenge
Memory card is a card containing authentication information
Smart Cards - contain a chip
contact cards require physical contact
contactless cards / proximity cards
hybrid cards are both contact and contactless
Password Types and Management
Characteristic Factors, Type 3 authentication factor
Biometrics
Physiological Characteristics
Behavioral Characteristics
Physiological - unique attributes of the user: iris, fingerprints, etc
Behavioral - measure actions: voice patterns, data entry characteristics
Types of physiological factors
fingeprint
finger scan
hand geometry - size, shape, finger length
hand topography - peaks, valleys, shape of hand
palm or hand scan
facial scan - bone structure, eye width, etc
retina scan - retinal blood vessel pattern
iris scan - scans colored portion of eye, rifts, coronas, furrows
vascular scans - pattern of veins in hand or face
Behavioral Characteristics
Signature dynamic
stroke speed, pen pressure, acceleration, deceleration
Keystroke dynamics
measures typing pattern when inputting password or predetermined phrase
Voice Pattern or print
measures sound pattern of user stating certain word
Biometric Considerations
Enrollment Time Feature Extraction Accuracy Throughput Rate Acceptability
Enrollment Time
Process of obtaining sample used by biometric system
Feature Extraction
approach to obtaining biometric info from user
Accuracy
most important characteristics of biometric systems
Throughput Rate
Rate that system can scan characteristics and complete the analysis to permit / deny
Acceptability
Likelihood that users will accept and follow the system
Biometric Considerations
(FRR) False Rejection Rate
Type 1 Error
(FAR) False Acceptance Rate
Type 2 Error
(CER) Crossover Error Rate
FRR - Measurement of valid users that will be falsely rejected by the system. Type 1 Error
FAR - Measurement of percentage of invalid users that will be falsely accepted by the system. Type 2 Error
CER - Point where FRR = FAR
This is the most important metric. Expressed as a percentage
Authorization Concepts
Access Control policy
Separation of Duties
Access Control policy defines methods for identifying and authenticating users and the level access granted to them
Separation of Duties
Prevents fraud by distributing tasks and their rights and privilege between more than one user.
1. Dual Controls
2. Split Knowledge - no single user has all knowledge to perform certain task. ie one bank officer half combination, other officer knows other.
Authorization Concepts
Principle of Least Privilege
Need to Know Principle
Principle of Least Privilege
Requires user or process has only minimum privileges needed to do a certain task
Need to Know Principle
defines the minimums for each job or function
Authorization Concepts
No Access
Directory Service
SSO (Single Sign-On)
No Access is recommended default level of access
Directory Service - database for centralizing data management for network subjects and objects
- X.500
- LDAP
- X.400
SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)
Authorization Concepts
No Access
Directory Service
SSO (Single Sign-On)
No Access is recommended default level of access
Directory Service - database for centralizing data management for network subjects and objects
- X.500
- LDAP
- X.400
SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)
Any directory service should provide a single sign on
Authorization Concepts
Kerberos
authentication protocol using a client server model
default authentically model for Windows Server and used in Apple, Sun, Linux
Uses symmetric key cryptography, provides integrity and confidentiality
KDC (Key Distribution Center) is repository for all user and service secret keys
Kerberos Process
4 Steps
- User access KDC
- KDC gives TGT (Ticket Granting Ticket)
- User gives TGT to Resource Server
- Resource Server provides access
Authorization Process
Security Domain
set of resources that follow same security policies and are available to a subject
Domains usually arranged in hierarchal structure of parent and child domains
Federated Identity
portable identity that can be used across organizations
Each organization that joins federation agrees to enforce common policies and standards
Cross-Certification Model
each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards
Trusted third party or bridge Model
Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations
Federated Identity
2 Models that it’s based on
Cross Certification
Trusted Third-Party
portable identity that can be used across organizations
Each organization that joins federation agrees to enforce common policies and standards
Cross-Certification Model
each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards
Trusted third party or bridge Model
Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations
User Accountability
Organization’s ability hold users responsible for their actions
Usually involves
Auditing, Reporting
Vulnerability Assessments
Penetration Testing
Threat Modeling
Auditing and Reporting
Ensures uses held accountable for their actions
You should monitor:
network, system, application, user events. Maybe keystroke activity
Remember that auditing impacts performance
Guidelines for Auditing
Develop audit log management plan (control size, backups, reviews)
Ensure ability to delete audit log requires 2 people
Monitor all high level accounts
Ensure audit trail includes who processed transaction, when it happened, where it happened, whether it succeeded or not
Ensure deleting the log and data in it can’t occur unless user has appropriate permissions
Auditing and Reporting
baselining
clipping levels
notifications
To identify abnormal patterns of behavior you should first identify normal patterns of behavior
Establish a clipping level, a baseline of errors above which violations will be recorded
Audit trails must be monitored, automatic notifications should be configured
Vulnerability Assessment
Personnel
Physical
System and Network
Personnel - reviews standard practices and procedures that users follow
Physical - reviews facility and perimeter protection
System and Network - review systems, devices, network topology
Penetration Testing
5 Steps
Simulate attack to ID threats from internal or external sources that could exploit vulnerabilities of a system or device
- document target system or device
- gather info about attack methods including port scanning
- ID known vulnerabilities of target
- execute attacks against target to gain user or privileged access
- document results of pen test, report findings with suggestions for remediation
Penetration Testing
Blind Test
Double-Blind Test
Target Test
Blind Test
testing team given limited knowledge of the network using publicly available info. Security team knows attack is coming. This requires more work by testing team, it must simulate actual attack
Double-blind Test
Like blind test except Security Team doesn’t know attack is coming. Requires equal effort for testing and security teams
Target Test
Both testing and security teams are given maximum information about network and the type of test. Easiest test to complete but won’t provide full picture of organization’s security
Penetration Testing
Zero-Knowledge Test
Partial-Knowledge Test
Full-Knowledge Test
Zero-Knowledge Test (Black Box Test)
Testing team provided with no knowledge about organization’s network. They can use any means possible to learn about it.
Partial-Knowledge Test
Testing team provided with public knowledge about organization’s network. Boundaries might be set for this type of test
Full-Knowledge Test
Testing team provided with all available knowledge about organization’s network. This test focused more on what attacks can be carried out.
Threat Modeling
aka
Risk Assessment
Lets you apply structured approach to security and address top threats that have greatest impact to your application first.
Access Control Categories
7 Main Categories
- Compensative
- Corrective
- Detective
- Deterrent
- Compensative - acts as mitigation to risks. ie two signatures to release sensitive information, or 2 keys for safe deposit box
- Corrective - reduces effect of attack. ie fire extinguishers, isolating or terminating connection, new firewall rules.
- Detective - detects attack while it’s occurring and alerts personnel. ie motion doctors, IDS, guards, job rotation, investigations
- Deterrent - deters or discourages attackers. Often trigger preventive and corrective controls. ie User ID and authentication, fences, lighting, security policies and NDA’s
Access Control Categories
7 Main Categories
- Compensative
- Corrective
- Detective
- Deterrent
- Compensative - acts as mitigation to risks. ie two signatures to release sensitive information, or 2 keys for safe deposit box
- Corrective - reduces effect of attack. ie fire extinguishers, isolating or terminating connection, new firewall rules.
- Detective - detects attack while it’s occurring and alerts personnel. ie motion doctors, IDS, guards, job rotation, investigations
- Deterrent - deters or discourages attackers. Often trigger preventive and corrective controls. ie User ID and authentication, fences, lighting, security policies and NDA’s
Access Control Categories
- Directive
- Preventive
- Recovery
- Directive - Specifies acceptable practice in an organization. Often is a AUP, acceptable use policy that lists proper and improper procedures
- Preventive - Prevents attack from occurring. ie locks, badges, biometrics, encryption, IPS, antivirus, personnel security, guards, passwords, training
- Recovery - recovers a system after an attack has occurred. ie Disaster Recovery plans, backups, offsite facilities
3 Access Control Types
- Administrative (Management)
- Logical (Technical)
- Physical
- Administrative - administers organization’s assets and personnel. ie personnel controls, data classification, data labeling, security awareness training, supervision
- Logical (Technical) - Restricts access. ie firewalls, IDS, IPS, encryption, authentication systems, protocols, auditing, monitoring, biometrics, smart cards, passwords
- Physical - Protects organization’s facilities and personnel. ie perimeter security, badges, cards, guards, dogs, man traps, biometrics, cabling
Access Control Models
Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Discretionary Access Control
Owner of object specifies which subjects can access the resource. Access based on subject’s identity, profile or role. DAC is a need-to-know control
Mandatory Access Control
Subject authorization is based on security labels. MAC is prohibitive because it’s based on security label system. Under MAC everything not expressly allowed is denied. Only administrators can change category of a resource
Role-Based Access Control
Each subject assigned to one or more roles. Roles are hierarchical. Access control based on the roles. Can be used to easily enforce minimum privileges for subjects
Access Control Models
Rule-Based Access Control (not role-based)
Content-Dependent Access Control
Context-Dependent Access Control
Rule-Based Access Control (not role-based)
facilitates frequent changes to data permissions. Using this method, a security policy is based on global rules for all users
Content-Dependent Access Control
makes access decisions based on data contained within the object
Context-Dependent Access Control
based on subject or object attributes or environmental characteristics. These characteristics can include locations or time of data
Access Control Models
Access Control Matrix
Capabilities Table
Access Control List
Access Control Matrix
table that has subjects, list of objects and list of actions that a subject can take on each object. Rows in the matrix are the subjects and columns are the objects
Capabilities Table (for subject) A capability corresponds to a subject's row from an Access Control Matrix. A capability table lists access rights that a particular subject has to objects. A capability table is about the subject
ACL (for object)
corresponds to an object’s column from an Access Control Matrix. an ACL lists all the access rights that subjects have to a particular object.
An ACL is about the object
Access Control Administration Models
Centralized
Decentralized
Centralized
Central department oversees access for all organizational resources. Ensures user access is controlled in a consistent manner across enterprise
Decentralized
Personnel closest to resources oversee the access control. This methods ensure that those who know the data, control the access to it.
Provisioning Life Cycle
Formal process for creating, changing, removing users. This includes user approval, creation, creation standards, authorization
Users should always sign a statement explaining conditions and responsibilities
Access modification and removal procedures should be documented
User provision policies should be integrated as part of HR management. HR formally requests creation or deletion of user account
Access Control Monitoring
IDS
IPS
IDS - detects unauthorized access or attacks
IPS - detects and acts to prevent and contain attack
Access Control Monitoring
Network based IDS
Host based IDS
Network IDS - most common. monitors network traffic
Host based IDS - monitors traffic on single system. Protects system it is installed on by using audit trails and logs
IDS Implementations
Signature based
Anomaly based
Rule or Heuristic based
Signature based - analyzes traffic, compares it to attack or signatures in the IDS database
Anomaly based - analyzes traffic, compares it to normal traffic to determine if threat or not
Rule or Heuristic based - expert system that uses knowledge base, inference engine and rule-based programming. Knowledge is configured as rules. Data and traffic analyzed and rules applied to the analyzed traffic
Signature based implementations
Pattern Matching
Stateful Matching
Pattern Matching
compares traffic to database of attack patterns
Stateful Matching
records initial OS state. any changes to it that violate defined rules, result in alerts
Anomaly based implementations
statistical
protocol
traffic
statistical - samples live environment, the longer it runs the more accurate a profile will be built
protocol - has knowledge of protocols it’s monitoring. Profile of normal usage is built and compared
traffic - IDS tracks traffic pattern changes. All future traffic patterns are compared to the sample
Access Control Threats
Password threats
Dictionary
attackers use dictionary of words to discover passwords
Brute Force (aka exhaustive attack) attackers work through all possible combinations of numbers and characters.
Access Control Threats
Social Engineering Attacks
Phishing - attackers learn personal data by implementing fake website to mimic legitimate one
Pharming - pollutes DNS cache of user’s computer so legitimate sites are rerouted to attacker’s site
Shoulder surfing
attacker watches when user enters login or other data
Identity theft
someone obtains personal information and uses it to assume identity of the victim
dumpster diving
attackers examine garbage to obtain confidential information
Access Control Threats
DOS / DDoS
Buffer Overflow
Mobile Code
DOS / DDoS
attackers flood device with enough requests to degrade performance of targeted device. Synflood and Teardrop
Buffer Overflow
Data submitted to application is larger than the buffer can handle
Mobile Code
Any software transmitted over a network to be executed on local system.
Access Control Threats
Malicious Software Virus Worm Trojan Horse Spyware
Spoofing
Virus - malware that attaches to other application to replicate or distribute itself
Worm - malware that replicates itself without other application or human interaction
Trojan Horse - malware disguised as needed application while performing malicious activity
Spyware - Malware that collects private data
Spoofing - when communication from attacker appears to come from trusted source
Access Control Threats
Malicious Software Virus Worm Trojan Horse Spyware
Spoofing
Virus - malware that attaches to other application to replicate or distribute itself
Worm - malware that replicates itself without other application or human interaction
Trojan Horse - malware disguised as needed application while performing malicious activity
Spyware - Malware that collects private data
Spoofing - when communication from attacker appears to come from trusted source
Access Control Threats
Sniffing
Emanating
Backdoor / Trapdoor
Sniffing - device or software that collects all information transmitted over the medium
Emanating - electromagnetic signals that are emitted by electronic device. TEMPEST by US and UK researches ways to limit this
Backdoor / Trapdoor - mechanism implemented in devices that give user root access to it
Define a security domain
a domain that’s managed by the same group using the same security policy
A security domain builds upon the definition of a domain (set of resources available to a subject) by adding that the resources within the domain are working under the same security policy and managed by the same group
Different domains are separated by logical boundaries like firewalls, directory services, etc.
Does TACACS+ use TCP and encrypt all data between client and server?
yes
Does RADIUS only encrypt the password?
yes
Are Attribute Value Pairs (AVP’s) constructs that outline how entities will communicate?
yes
They are not protocol parameters
Is time synchronization a characteristic of counter-based token devices?
no
Counter-based means that the server and token share the same list of access codes and secret key. The secret key encrypts the access cord, which is the one time password the user enters for authentication
At a trade show, is a constrained user interface a good way to prevent test users from gaining elevated privileges at a demonstration system?
yes
What type of token uses a challenge-response system?
Asynchronous
Server sends a challenge (nonce), user puts it into token which encrypts it and returns a value used as the one-time password
If you get several brute force attempts, is reducing the clipping level a good solution?
yes
In this case, the clipping level is the number of allowed failed login attempts before locking out the account.
Are behavioral biometrics more or less accurate than physical attributes?
less. They can change over time
What is a virtual password?
the length and format required by the application
