Access Control Flashcards

1
Q

Access Control Concepts

CIA Triad

Confidentiality
Integrity
Availability

A

Confidentiality
Prevents disclosure of data

Integrity
Ensures data is protected from corruption or unauthorized modification

Availability
Ensures data accessible when and where it’s needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access Control Concepts

Default Stance (default allow or default deny)

Defense in Depth

A

Default stance is either an allow by default, or deny by default

Deny by default is recommended because it’s stricter

Defense in depth is the practice of using layers of security between the data and the resources it resides on, and attackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access Control Process

Identify Resources, Users, Relationships between them

A
ID resources
which need protection
How are they accessed
Which data on the resources will be accessed
Who will be accessing this data

ID Users
Document user levels and needs
Analyze needs against organizational polices, legal issues, data sensitivity and risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identification and Authentication

A

Identification
act of user professing an identity, ie a user ID or username

authentication
validating a user with a unique identifier by providing credentials like a password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

3 Factors for Authentication

Knowledge
Ownership
Characteristic

A

Knowledge - something user knows, ie password

Ownership - something user possesses - smartcard

Characteristic - something a person is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Knowledge Factors (Type 1 Factor)

A

Most popular form is a password

Also includes birthday, PIN, mother’s maiden name

If knowledge factor is used, identity (account) and password word management are crucial

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Identity and Account Management

5 elements of proper account management

A

Establish formal process for establishing, issuing, closing user accounts

Periodically review user accounts

Implement process for tracking access authorization

Periodically prescreen personnel in sensitive positions

Periodically verify legitimacy of user accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Password Types and Management

Standard
Combination
Static
Complex
Passphrase
A

Standard - single words
Combination (composition)- mix of two unrelated words
Static - remains same for each login. Most often seen in P2P networks
Complex - mix of upper, lowercase letter, numbers, special characters
Passphrase - a long phrase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Password Types and Management

Cognitive
One Time Passwords (dynamic)
Graphical
Numeric

A

Cognitive - piece of information, usually a series of questions based on user’s life (first car, favorite color)

OTP - only used once

Graphical - uses pictures, like CAPTCHA

Numeric - only has numbers, easier to guess because possibilities are known

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Password Policies

A
Password Life
Password history
Authentication period - how long user can stay logged in
Password complexity
Password length
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Password Types and Management
(Knowledge Factors)

password locations and default accounts
Linux, UNIX
Windows

A

/etc/passwd
/etc/shadow (protected)
root account

c:\windows\system32\config\SAM
administrator and guest accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Password Types and Management
Ownership Factors, Type 2 authentication factor

Tokens
Memory Cards
Memory Cards
Smart Cards

A

Synchronous token generates unique password at fixed time intervals with the authentication server

Asynchronous token generates password based on challenge/response, with token generating correcting response to server’s challenge

Memory card is a card containing authentication information

Smart Cards - contain a chip
contact cards require physical contact
contactless cards / proximity cards
hybrid cards are both contact and contactless

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Password Types and Management
Characteristic Factors, Type 3 authentication factor
Biometrics

Physiological Characteristics
Behavioral Characteristics

A

Physiological - unique attributes of the user: iris, fingerprints, etc

Behavioral - measure actions: voice patterns, data entry characteristics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Types of physiological factors

A

fingeprint
finger scan
hand geometry - size, shape, finger length
hand topography - peaks, valleys, shape of hand
palm or hand scan
facial scan - bone structure, eye width, etc
retina scan - retinal blood vessel pattern
iris scan - scans colored portion of eye, rifts, coronas, furrows
vascular scans - pattern of veins in hand or face

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Behavioral Characteristics

A

Signature dynamic
stroke speed, pen pressure, acceleration, deceleration

Keystroke dynamics
measures typing pattern when inputting password or predetermined phrase

Voice Pattern or print
measures sound pattern of user stating certain word

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Biometric Considerations

Enrollment Time
Feature Extraction
Accuracy
Throughput Rate
Acceptability
A

Enrollment Time
Process of obtaining sample used by biometric system

Feature Extraction
approach to obtaining biometric info from user

Accuracy
most important characteristics of biometric systems

Throughput Rate
Rate that system can scan characteristics and complete the analysis to permit / deny

Acceptability
Likelihood that users will accept and follow the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Biometric Considerations

(FRR) False Rejection Rate
Type 1 Error

(FAR) False Acceptance Rate
Type 2 Error

(CER) Crossover Error Rate

A

FRR - Measurement of valid users that will be falsely rejected by the system. Type 1 Error

FAR - Measurement of percentage of invalid users that will be falsely accepted by the system. Type 2 Error

CER - Point where FRR = FAR
This is the most important metric. Expressed as a percentage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Authorization Concepts

Access Control policy

Separation of Duties

A

Access Control policy defines methods for identifying and authenticating users and the level access granted to them

Separation of Duties
Prevents fraud by distributing tasks and their rights and privilege between more than one user.
1. Dual Controls
2. Split Knowledge - no single user has all knowledge to perform certain task. ie one bank officer half combination, other officer knows other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Authorization Concepts

Principle of Least Privilege

Need to Know Principle

A

Principle of Least Privilege
Requires user or process has only minimum privileges needed to do a certain task

Need to Know Principle
defines the minimums for each job or function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Authorization Concepts

No Access

Directory Service

SSO (Single Sign-On)

A

No Access is recommended default level of access

Directory Service - database for centralizing data management for network subjects and objects

  1. X.500
  2. LDAP
  3. X.400

SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Authorization Concepts

No Access

Directory Service

SSO (Single Sign-On)

A

No Access is recommended default level of access

Directory Service - database for centralizing data management for network subjects and objects

  1. X.500
  2. LDAP
  3. X.400

SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)

Any directory service should provide a single sign on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Authorization Concepts

Kerberos

A

authentication protocol using a client server model
default authentically model for Windows Server and used in Apple, Sun, Linux

Uses symmetric key cryptography, provides integrity and confidentiality

KDC (Key Distribution Center) is repository for all user and service secret keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Kerberos Process

4 Steps

A
  1. User access KDC
  2. KDC gives TGT (Ticket Granting Ticket)
  3. User gives TGT to Resource Server
  4. Resource Server provides access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Authorization Process

Security Domain

A

set of resources that follow same security policies and are available to a subject

Domains usually arranged in hierarchal structure of parent and child domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Federated Identity

A

portable identity that can be used across organizations

Each organization that joins federation agrees to enforce common policies and standards

Cross-Certification Model
each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards

Trusted third party or bridge Model
Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Federated Identity

2 Models that it’s based on

Cross Certification

Trusted Third-Party

A

portable identity that can be used across organizations

Each organization that joins federation agrees to enforce common policies and standards

Cross-Certification Model
each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards

Trusted third party or bridge Model
Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

User Accountability

A

Organization’s ability hold users responsible for their actions

Usually involves

Auditing, Reporting

Vulnerability Assessments

Penetration Testing

Threat Modeling

28
Q

Auditing and Reporting

A

Ensures uses held accountable for their actions

You should monitor:
network, system, application, user events. Maybe keystroke activity

Remember that auditing impacts performance

29
Q

Guidelines for Auditing

A

Develop audit log management plan (control size, backups, reviews)

Ensure ability to delete audit log requires 2 people

Monitor all high level accounts

Ensure audit trail includes who processed transaction, when it happened, where it happened, whether it succeeded or not

Ensure deleting the log and data in it can’t occur unless user has appropriate permissions

30
Q

Auditing and Reporting

baselining
clipping levels
notifications

A

To identify abnormal patterns of behavior you should first identify normal patterns of behavior

Establish a clipping level, a baseline of errors above which violations will be recorded

Audit trails must be monitored, automatic notifications should be configured

31
Q

Vulnerability Assessment

Personnel
Physical
System and Network

A

Personnel - reviews standard practices and procedures that users follow

Physical - reviews facility and perimeter protection

System and Network - review systems, devices, network topology

32
Q

Penetration Testing

5 Steps

A

Simulate attack to ID threats from internal or external sources that could exploit vulnerabilities of a system or device

  1. document target system or device
  2. gather info about attack methods including port scanning
  3. ID known vulnerabilities of target
  4. execute attacks against target to gain user or privileged access
  5. document results of pen test, report findings with suggestions for remediation
33
Q

Penetration Testing

Blind Test

Double-Blind Test

Target Test

A

Blind Test
testing team given limited knowledge of the network using publicly available info. Security team knows attack is coming. This requires more work by testing team, it must simulate actual attack

Double-blind Test
Like blind test except Security Team doesn’t know attack is coming. Requires equal effort for testing and security teams

Target Test
Both testing and security teams are given maximum information about network and the type of test. Easiest test to complete but won’t provide full picture of organization’s security

34
Q

Penetration Testing

Zero-Knowledge Test

Partial-Knowledge Test

Full-Knowledge Test

A

Zero-Knowledge Test (Black Box Test)
Testing team provided with no knowledge about organization’s network. They can use any means possible to learn about it.

Partial-Knowledge Test
Testing team provided with public knowledge about organization’s network. Boundaries might be set for this type of test

Full-Knowledge Test
Testing team provided with all available knowledge about organization’s network. This test focused more on what attacks can be carried out.

35
Q

Threat Modeling
aka
Risk Assessment

A

Lets you apply structured approach to security and address top threats that have greatest impact to your application first.

36
Q

Access Control Categories

7 Main Categories

  1. Compensative
  2. Corrective
  3. Detective
  4. Deterrent
A
  1. Compensative - acts as mitigation to risks. ie two signatures to release sensitive information, or 2 keys for safe deposit box
  2. Corrective - reduces effect of attack. ie fire extinguishers, isolating or terminating connection, new firewall rules.
  3. Detective - detects attack while it’s occurring and alerts personnel. ie motion doctors, IDS, guards, job rotation, investigations
  4. Deterrent - deters or discourages attackers. Often trigger preventive and corrective controls. ie User ID and authentication, fences, lighting, security policies and NDA’s
37
Q

Access Control Categories

7 Main Categories

  1. Compensative
  2. Corrective
  3. Detective
  4. Deterrent
A
  1. Compensative - acts as mitigation to risks. ie two signatures to release sensitive information, or 2 keys for safe deposit box
  2. Corrective - reduces effect of attack. ie fire extinguishers, isolating or terminating connection, new firewall rules.
  3. Detective - detects attack while it’s occurring and alerts personnel. ie motion doctors, IDS, guards, job rotation, investigations
  4. Deterrent - deters or discourages attackers. Often trigger preventive and corrective controls. ie User ID and authentication, fences, lighting, security policies and NDA’s
38
Q

Access Control Categories

  1. Directive
  2. Preventive
  3. Recovery
A
  1. Directive - Specifies acceptable practice in an organization. Often is a AUP, acceptable use policy that lists proper and improper procedures
  2. Preventive - Prevents attack from occurring. ie locks, badges, biometrics, encryption, IPS, antivirus, personnel security, guards, passwords, training
  3. Recovery - recovers a system after an attack has occurred. ie Disaster Recovery plans, backups, offsite facilities
39
Q

3 Access Control Types

  1. Administrative (Management)
  2. Logical (Technical)
  3. Physical
A
  1. Administrative - administers organization’s assets and personnel. ie personnel controls, data classification, data labeling, security awareness training, supervision
  2. Logical (Technical) - Restricts access. ie firewalls, IDS, IPS, encryption, authentication systems, protocols, auditing, monitoring, biometrics, smart cards, passwords
  3. Physical - Protects organization’s facilities and personnel. ie perimeter security, badges, cards, guards, dogs, man traps, biometrics, cabling
40
Q

Access Control Models

Discretionary Access Control

Mandatory Access Control

Role-Based Access Control

A

Discretionary Access Control
Owner of object specifies which subjects can access the resource. Access based on subject’s identity, profile or role. DAC is a need-to-know control

Mandatory Access Control
Subject authorization is based on security labels. MAC is prohibitive because it’s based on security label system. Under MAC everything not expressly allowed is denied. Only administrators can change category of a resource

Role-Based Access Control
Each subject assigned to one or more roles. Roles are hierarchical. Access control based on the roles. Can be used to easily enforce minimum privileges for subjects

41
Q

Access Control Models

Rule-Based Access Control (not role-based)

Content-Dependent Access Control

Context-Dependent Access Control

A

Rule-Based Access Control (not role-based)
facilitates frequent changes to data permissions. Using this method, a security policy is based on global rules for all users

Content-Dependent Access Control
makes access decisions based on data contained within the object

Context-Dependent Access Control
based on subject or object attributes or environmental characteristics. These characteristics can include locations or time of data

42
Q

Access Control Models

Access Control Matrix

Capabilities Table

Access Control List

A

Access Control Matrix
table that has subjects, list of objects and list of actions that a subject can take on each object. Rows in the matrix are the subjects and columns are the objects

Capabilities Table (for subject)
A capability corresponds to a subject's row from an Access Control Matrix. A capability table lists access rights that a particular subject has to objects. A capability table is about the subject

ACL (for object)
corresponds to an object’s column from an Access Control Matrix. an ACL lists all the access rights that subjects have to a particular object.
An ACL is about the object

43
Q

Access Control Administration Models

Centralized

Decentralized

A

Centralized
Central department oversees access for all organizational resources. Ensures user access is controlled in a consistent manner across enterprise

Decentralized
Personnel closest to resources oversee the access control. This methods ensure that those who know the data, control the access to it.

44
Q

Provisioning Life Cycle

A

Formal process for creating, changing, removing users. This includes user approval, creation, creation standards, authorization

Users should always sign a statement explaining conditions and responsibilities

Access modification and removal procedures should be documented

User provision policies should be integrated as part of HR management. HR formally requests creation or deletion of user account

45
Q

Access Control Monitoring

IDS

IPS

A

IDS - detects unauthorized access or attacks

IPS - detects and acts to prevent and contain attack

46
Q

Access Control Monitoring

Network based IDS

Host based IDS

A

Network IDS - most common. monitors network traffic

Host based IDS - monitors traffic on single system. Protects system it is installed on by using audit trails and logs

47
Q

IDS Implementations

Signature based
Anomaly based
Rule or Heuristic based

A

Signature based - analyzes traffic, compares it to attack or signatures in the IDS database

Anomaly based - analyzes traffic, compares it to normal traffic to determine if threat or not

Rule or Heuristic based - expert system that uses knowledge base, inference engine and rule-based programming. Knowledge is configured as rules. Data and traffic analyzed and rules applied to the analyzed traffic

48
Q

Signature based implementations

Pattern Matching
Stateful Matching

A

Pattern Matching
compares traffic to database of attack patterns

Stateful Matching
records initial OS state. any changes to it that violate defined rules, result in alerts

49
Q

Anomaly based implementations

statistical
protocol
traffic

A

statistical - samples live environment, the longer it runs the more accurate a profile will be built

protocol - has knowledge of protocols it’s monitoring. Profile of normal usage is built and compared

traffic - IDS tracks traffic pattern changes. All future traffic patterns are compared to the sample

50
Q

Access Control Threats

Password threats

A

Dictionary
attackers use dictionary of words to discover passwords

Brute Force (aka exhaustive attack)
attackers work through all possible combinations of numbers and characters.
51
Q

Access Control Threats

Social Engineering Attacks

A

Phishing - attackers learn personal data by implementing fake website to mimic legitimate one

Pharming - pollutes DNS cache of user’s computer so legitimate sites are rerouted to attacker’s site

Shoulder surfing
attacker watches when user enters login or other data

Identity theft
someone obtains personal information and uses it to assume identity of the victim

dumpster diving
attackers examine garbage to obtain confidential information

52
Q

Access Control Threats

DOS / DDoS
Buffer Overflow
Mobile Code

A

DOS / DDoS
attackers flood device with enough requests to degrade performance of targeted device. Synflood and Teardrop

Buffer Overflow
Data submitted to application is larger than the buffer can handle

Mobile Code
Any software transmitted over a network to be executed on local system.

53
Q

Access Control Threats

Malicious Software
Virus
Worm
Trojan Horse
Spyware

Spoofing

A

Virus - malware that attaches to other application to replicate or distribute itself

Worm - malware that replicates itself without other application or human interaction

Trojan Horse - malware disguised as needed application while performing malicious activity

Spyware - Malware that collects private data

Spoofing - when communication from attacker appears to come from trusted source

54
Q

Access Control Threats

Malicious Software
Virus
Worm
Trojan Horse
Spyware

Spoofing

A

Virus - malware that attaches to other application to replicate or distribute itself

Worm - malware that replicates itself without other application or human interaction

Trojan Horse - malware disguised as needed application while performing malicious activity

Spyware - Malware that collects private data

Spoofing - when communication from attacker appears to come from trusted source

55
Q

Access Control Threats

Sniffing
Emanating
Backdoor / Trapdoor

A

Sniffing - device or software that collects all information transmitted over the medium

Emanating - electromagnetic signals that are emitted by electronic device. TEMPEST by US and UK researches ways to limit this

Backdoor / Trapdoor - mechanism implemented in devices that give user root access to it

56
Q

Define a security domain

A

a domain that’s managed by the same group using the same security policy

A security domain builds upon the definition of a domain (set of resources available to a subject) by adding that the resources within the domain are working under the same security policy and managed by the same group

Different domains are separated by logical boundaries like firewalls, directory services, etc.

57
Q

Does TACACS+ use TCP and encrypt all data between client and server?

A

yes

58
Q

Does RADIUS only encrypt the password?

A

yes

59
Q

Are Attribute Value Pairs (AVP’s) constructs that outline how entities will communicate?

A

yes

They are not protocol parameters

60
Q

Is time synchronization a characteristic of counter-based token devices?

A

no

Counter-based means that the server and token share the same list of access codes and secret key. The secret key encrypts the access cord, which is the one time password the user enters for authentication

61
Q

At a trade show, is a constrained user interface a good way to prevent test users from gaining elevated privileges at a demonstration system?

A

yes

62
Q

What type of token uses a challenge-response system?

A

Asynchronous

Server sends a challenge (nonce), user puts it into token which encrypts it and returns a value used as the one-time password

63
Q

If you get several brute force attempts, is reducing the clipping level a good solution?

A

yes

In this case, the clipping level is the number of allowed failed login attempts before locking out the account.

64
Q

Are behavioral biometrics more or less accurate than physical attributes?

A

less. They can change over time

65
Q

What is a virtual password?

A

the length and format required by the application