Access Control

Question 1

Access Control Concepts

CIA Triad

Confidentiality
Integrity
Availability

Answer 1

Confidentiality
Prevents disclosure of data

Integrity
Ensures data is protected from corruption or unauthorized modification

Availability
Ensures data accessible when and where it’s needed

Question 2

Access Control Concepts

Default Stance (default allow or default deny)

Defense in Depth

Answer 2

Default stance is either an allow by default, or deny by default

Deny by default is recommended because it’s stricter

Defense in depth is the practice of using layers of security between the data and the resources it resides on, and attackers

Question 3

Access Control Process

Identify Resources, Users, Relationships between them

Answer 3

ID resources
which need protection
How are they accessed
Which data on the resources will be accessed
Who will be accessing this data

ID Users
Document user levels and needs
Analyze needs against organizational polices, legal issues, data sensitivity and risk

Question 4

Identification and Authentication

Answer 4

Identification
act of user professing an identity, ie a user ID or username

authentication
validating a user with a unique identifier by providing credentials like a password

Question 5

3 Factors for Authentication

Knowledge
Ownership
Characteristic

Answer 5

Knowledge - something user knows, ie password

Ownership - something user possesses - smartcard

Characteristic - something a person is

Question 6

Knowledge Factors (Type 1 Factor)

Answer 6

Most popular form is a password

Also includes birthday, PIN, mother’s maiden name

If knowledge factor is used, identity (account) and password word management are crucial

Question 7

Identity and Account Management

5 elements of proper account management

Answer 7

Establish formal process for establishing, issuing, closing user accounts

Periodically review user accounts

Implement process for tracking access authorization

Periodically prescreen personnel in sensitive positions

Periodically verify legitimacy of user accounts

Question 8

Password Types and Management

Standard
Combination
Static
Complex
Passphrase

Answer 8

Standard - single words
Combination (composition)- mix of two unrelated words
Static - remains same for each login. Most often seen in P2P networks
Complex - mix of upper, lowercase letter, numbers, special characters
Passphrase - a long phrase

Question 9

Password Types and Management

Cognitive
One Time Passwords (dynamic)
Graphical
Numeric

Answer 9

Cognitive - piece of information, usually a series of questions based on user’s life (first car, favorite color)

OTP - only used once

Graphical - uses pictures, like CAPTCHA

Numeric - only has numbers, easier to guess because possibilities are known

Question 10

Password Policies

Answer 10

Password Life
Password history
Authentication period - how long user can stay logged in
Password complexity
Password length

Question 11

Password Types and Management
(Knowledge Factors)

password locations and default accounts
Linux, UNIX
Windows

Answer 11

/etc/passwd
/etc/shadow (protected)
root account

c:\windows\system32\config\SAM
administrator and guest accounts

Question 12

Password Types and Management
Ownership Factors, Type 2 authentication factor

Tokens
Memory Cards
Memory Cards
Smart Cards

Answer 12

Synchronous token generates unique password at fixed time intervals with the authentication server

Asynchronous token generates password based on challenge/response, with token generating correcting response to server’s challenge

Memory card is a card containing authentication information

Smart Cards - contain a chip
contact cards require physical contact
contactless cards / proximity cards
hybrid cards are both contact and contactless

Question 13

Password Types and Management
Characteristic Factors, Type 3 authentication factor
Biometrics

Physiological Characteristics
Behavioral Characteristics

Answer 13

Physiological - unique attributes of the user: iris, fingerprints, etc

Behavioral - measure actions: voice patterns, data entry characteristics

Question 14

Types of physiological factors

Answer 14

fingeprint
finger scan
hand geometry - size, shape, finger length
hand topography - peaks, valleys, shape of hand
palm or hand scan
facial scan - bone structure, eye width, etc
retina scan - retinal blood vessel pattern
iris scan - scans colored portion of eye, rifts, coronas, furrows
vascular scans - pattern of veins in hand or face

Question 15

Behavioral Characteristics

Answer 15

Signature dynamic
stroke speed, pen pressure, acceleration, deceleration

Keystroke dynamics
measures typing pattern when inputting password or predetermined phrase

Voice Pattern or print
measures sound pattern of user stating certain word

Question 16

Biometric Considerations

Enrollment Time
Feature Extraction
Accuracy
Throughput Rate
Acceptability

Answer 16

Enrollment Time
Process of obtaining sample used by biometric system

Feature Extraction
approach to obtaining biometric info from user

Accuracy
most important characteristics of biometric systems

Throughput Rate
Rate that system can scan characteristics and complete the analysis to permit / deny

Acceptability
Likelihood that users will accept and follow the system

Question 17

Biometric Considerations

(FRR) False Rejection Rate
Type 1 Error

(FAR) False Acceptance Rate
Type 2 Error

(CER) Crossover Error Rate

Answer 17

FRR - Measurement of valid users that will be falsely rejected by the system. Type 1 Error

FAR - Measurement of percentage of invalid users that will be falsely accepted by the system. Type 2 Error

CER - Point where FRR = FAR
This is the most important metric. Expressed as a percentage

Question 18

Authorization Concepts

Access Control policy

Separation of Duties

Answer 18

Access Control policy defines methods for identifying and authenticating users and the level access granted to them

Separation of Duties
Prevents fraud by distributing tasks and their rights and privilege between more than one user.
1. Dual Controls
2. Split Knowledge - no single user has all knowledge to perform certain task. ie one bank officer half combination, other officer knows other.

Question 19

Authorization Concepts

Principle of Least Privilege

Need to Know Principle

Answer 19

Principle of Least Privilege
Requires user or process has only minimum privileges needed to do a certain task

Need to Know Principle
defines the minimums for each job or function

Question 20

Authorization Concepts

No Access

Directory Service

SSO (Single Sign-On)

Answer 20

No Access is recommended default level of access

Directory Service - database for centralizing data management for network subjects and objects

1. X.500
2. LDAP
3. X.400

SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)

Question 21

Authorization Concepts

No Access

Directory Service

SSO (Single Sign-On)

Answer 21

No Access is recommended default level of access

Directory Service - database for centralizing data management for network subjects and objects

1. X.500
2. LDAP
3. X.400

SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)

Any directory service should provide a single sign on

Question 22

Authorization Concepts

Kerberos

Answer 22

authentication protocol using a client server model
default authentically model for Windows Server and used in Apple, Sun, Linux

Uses symmetric key cryptography, provides integrity and confidentiality

KDC (Key Distribution Center) is repository for all user and service secret keys

Question 23

Kerberos Process

4 Steps

Answer 23

1. User access KDC
2. KDC gives TGT (Ticket Granting Ticket)
3. User gives TGT to Resource Server
4. Resource Server provides access

Question 24

Authorization Process

Security Domain

Answer 24

set of resources that follow same security policies and are available to a subject

Domains usually arranged in hierarchal structure of parent and child domains

Question 25

Federated Identity

Answer 25

portable identity that can be used across organizations

Each organization that joins federation agrees to enforce common policies and standards

Cross-Certification Model
each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards

Trusted third party or bridge Model
Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations

Question 26

Federated Identity

2 Models that it’s based on

Cross Certification

Trusted Third-Party

Answer 26

portable identity that can be used across organizations

Each organization that joins federation agrees to enforce common policies and standards

Cross-Certification Model
each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards

Trusted third party or bridge Model
Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations

Question 27

User Accountability

Answer 27

Organization’s ability hold users responsible for their actions

Usually involves

Auditing, Reporting

Vulnerability Assessments

Penetration Testing

Threat Modeling

Question 28

Auditing and Reporting

Answer 28

Ensures uses held accountable for their actions

You should monitor:
network, system, application, user events. Maybe keystroke activity

Remember that auditing impacts performance

Question 29

Guidelines for Auditing

Answer 29

Develop audit log management plan (control size, backups, reviews)

Ensure ability to delete audit log requires 2 people

Monitor all high level accounts

Ensure audit trail includes who processed transaction, when it happened, where it happened, whether it succeeded or not

Ensure deleting the log and data in it can’t occur unless user has appropriate permissions

Question 30

Auditing and Reporting

baselining
clipping levels
notifications

Answer 30

To identify abnormal patterns of behavior you should first identify normal patterns of behavior

Establish a clipping level, a baseline of errors above which violations will be recorded

Audit trails must be monitored, automatic notifications should be configured

Question 31

Vulnerability Assessment

Personnel
Physical
System and Network

Answer 31

Personnel - reviews standard practices and procedures that users follow

Physical - reviews facility and perimeter protection

System and Network - review systems, devices, network topology

Question 32

Penetration Testing

5 Steps

Answer 32

Simulate attack to ID threats from internal or external sources that could exploit vulnerabilities of a system or device

1. document target system or device
2. gather info about attack methods including port scanning
3. ID known vulnerabilities of target
4. execute attacks against target to gain user or privileged access
5. document results of pen test, report findings with suggestions for remediation

Question 33

Penetration Testing

Blind Test

Double-Blind Test

Target Test

Answer 33

Blind Test
testing team given limited knowledge of the network using publicly available info. Security team knows attack is coming. This requires more work by testing team, it must simulate actual attack

Double-blind Test
Like blind test except Security Team doesn’t know attack is coming. Requires equal effort for testing and security teams

Target Test
Both testing and security teams are given maximum information about network and the type of test. Easiest test to complete but won’t provide full picture of organization’s security

Question 34

Penetration Testing

Zero-Knowledge Test

Partial-Knowledge Test

Full-Knowledge Test

Answer 34

Zero-Knowledge Test (Black Box Test)
Testing team provided with no knowledge about organization’s network. They can use any means possible to learn about it.

Partial-Knowledge Test
Testing team provided with public knowledge about organization’s network. Boundaries might be set for this type of test

Full-Knowledge Test
Testing team provided with all available knowledge about organization’s network. This test focused more on what attacks can be carried out.

Question 35

Threat Modeling
aka
Risk Assessment

Answer 35

Lets you apply structured approach to security and address top threats that have greatest impact to your application first.

Question 36

Access Control Categories

7 Main Categories

1. Compensative
2. Corrective
3. Detective
4. Deterrent

Answer 36

1. Compensative - acts as mitigation to risks. ie two signatures to release sensitive information, or 2 keys for safe deposit box
2. Corrective - reduces effect of attack. ie fire extinguishers, isolating or terminating connection, new firewall rules.
3. Detective - detects attack while it’s occurring and alerts personnel. ie motion doctors, IDS, guards, job rotation, investigations
4. Deterrent - deters or discourages attackers. Often trigger preventive and corrective controls. ie User ID and authentication, fences, lighting, security policies and NDA’s

Question 37

Access Control Categories

7 Main Categories

1. Compensative
2. Corrective
3. Detective
4. Deterrent

Answer 37

1. Compensative - acts as mitigation to risks. ie two signatures to release sensitive information, or 2 keys for safe deposit box
2. Corrective - reduces effect of attack. ie fire extinguishers, isolating or terminating connection, new firewall rules.
3. Detective - detects attack while it’s occurring and alerts personnel. ie motion doctors, IDS, guards, job rotation, investigations
4. Deterrent - deters or discourages attackers. Often trigger preventive and corrective controls. ie User ID and authentication, fences, lighting, security policies and NDA’s

Question 38

Access Control Categories

5. Directive
6. Preventive
7. Recovery

Answer 38

5. Directive - Specifies acceptable practice in an organization. Often is a AUP, acceptable use policy that lists proper and improper procedures
6. Preventive - Prevents attack from occurring. ie locks, badges, biometrics, encryption, IPS, antivirus, personnel security, guards, passwords, training
7. Recovery - recovers a system after an attack has occurred. ie Disaster Recovery plans, backups, offsite facilities

Question 39

3 Access Control Types

1. Administrative (Management)
2. Logical (Technical)
3. Physical

Answer 39

1. Administrative - administers organization’s assets and personnel. ie personnel controls, data classification, data labeling, security awareness training, supervision
2. Logical (Technical) - Restricts access. ie firewalls, IDS, IPS, encryption, authentication systems, protocols, auditing, monitoring, biometrics, smart cards, passwords
3. Physical - Protects organization’s facilities and personnel. ie perimeter security, badges, cards, guards, dogs, man traps, biometrics, cabling

Question 40

Access Control Models

Discretionary Access Control

Mandatory Access Control

Role-Based Access Control

Answer 40

Discretionary Access Control
Owner of object specifies which subjects can access the resource. Access based on subject’s identity, profile or role. DAC is a need-to-know control

Mandatory Access Control
Subject authorization is based on security labels. MAC is prohibitive because it’s based on security label system. Under MAC everything not expressly allowed is denied. Only administrators can change category of a resource

Role-Based Access Control
Each subject assigned to one or more roles. Roles are hierarchical. Access control based on the roles. Can be used to easily enforce minimum privileges for subjects

Question 41

Access Control Models

Rule-Based Access Control (not role-based)

Content-Dependent Access Control

Context-Dependent Access Control

Answer 41

Rule-Based Access Control (not role-based)
facilitates frequent changes to data permissions. Using this method, a security policy is based on global rules for all users

Content-Dependent Access Control
makes access decisions based on data contained within the object

Context-Dependent Access Control
based on subject or object attributes or environmental characteristics. These characteristics can include locations or time of data

Question 42

Access Control Models

Access Control Matrix

Capabilities Table

Access Control List

Answer 42

Access Control Matrix
table that has subjects, list of objects and list of actions that a subject can take on each object. Rows in the matrix are the subjects and columns are the objects

Capabilities Table (for subject)
A capability corresponds to a subject's row from an Access Control Matrix. A capability table lists access rights that a particular subject has to objects. A capability table is about the subject

ACL (for object)
corresponds to an object’s column from an Access Control Matrix. an ACL lists all the access rights that subjects have to a particular object.
An ACL is about the object

Question 43

Access Control Administration Models

Centralized

Decentralized

Answer 43

Centralized
Central department oversees access for all organizational resources. Ensures user access is controlled in a consistent manner across enterprise

Decentralized
Personnel closest to resources oversee the access control. This methods ensure that those who know the data, control the access to it.

Question 44

Provisioning Life Cycle

Answer 44

Formal process for creating, changing, removing users. This includes user approval, creation, creation standards, authorization

Users should always sign a statement explaining conditions and responsibilities

Access modification and removal procedures should be documented

User provision policies should be integrated as part of HR management. HR formally requests creation or deletion of user account

Question 45

Access Control Monitoring

IDS

IPS

Answer 45

IDS - detects unauthorized access or attacks

IPS - detects and acts to prevent and contain attack

Question 46

Access Control Monitoring

Network based IDS

Host based IDS

Answer 46

Network IDS - most common. monitors network traffic

Host based IDS - monitors traffic on single system. Protects system it is installed on by using audit trails and logs

Question 47

IDS Implementations

Signature based
Anomaly based
Rule or Heuristic based

Answer 47

Signature based - analyzes traffic, compares it to attack or signatures in the IDS database

Anomaly based - analyzes traffic, compares it to normal traffic to determine if threat or not

Rule or Heuristic based - expert system that uses knowledge base, inference engine and rule-based programming. Knowledge is configured as rules. Data and traffic analyzed and rules applied to the analyzed traffic

Question 48

Signature based implementations

Pattern Matching
Stateful Matching

Answer 48

Pattern Matching
compares traffic to database of attack patterns

Stateful Matching
records initial OS state. any changes to it that violate defined rules, result in alerts

Question 49

Anomaly based implementations

statistical
protocol
traffic

Answer 49

statistical - samples live environment, the longer it runs the more accurate a profile will be built

protocol - has knowledge of protocols it’s monitoring. Profile of normal usage is built and compared

traffic - IDS tracks traffic pattern changes. All future traffic patterns are compared to the sample

Question 50

Access Control Threats

Password threats

Answer 50

Dictionary
attackers use dictionary of words to discover passwords

Brute Force (aka exhaustive attack)
attackers work through all possible combinations of numbers and characters.

Question 51

Access Control Threats

Social Engineering Attacks

Answer 51

Phishing - attackers learn personal data by implementing fake website to mimic legitimate one

Pharming - pollutes DNS cache of user’s computer so legitimate sites are rerouted to attacker’s site

Shoulder surfing
attacker watches when user enters login or other data

Identity theft
someone obtains personal information and uses it to assume identity of the victim

dumpster diving
attackers examine garbage to obtain confidential information

Question 52

Access Control Threats

DOS / DDoS
Buffer Overflow
Mobile Code

Answer 52

DOS / DDoS
attackers flood device with enough requests to degrade performance of targeted device. Synflood and Teardrop

Buffer Overflow
Data submitted to application is larger than the buffer can handle

Mobile Code
Any software transmitted over a network to be executed on local system.

Question 53

Access Control Threats

Malicious Software
Virus
Worm
Trojan Horse
Spyware

Spoofing

Answer 53

Virus - malware that attaches to other application to replicate or distribute itself

Worm - malware that replicates itself without other application or human interaction

Trojan Horse - malware disguised as needed application while performing malicious activity

Spyware - Malware that collects private data

Spoofing - when communication from attacker appears to come from trusted source

Question 54

Access Control Threats

Malicious Software
Virus
Worm
Trojan Horse
Spyware

Spoofing

Answer 54

Virus - malware that attaches to other application to replicate or distribute itself

Worm - malware that replicates itself without other application or human interaction

Trojan Horse - malware disguised as needed application while performing malicious activity

Spyware - Malware that collects private data

Spoofing - when communication from attacker appears to come from trusted source

Question 55

Access Control Threats

Sniffing
Emanating
Backdoor / Trapdoor

Answer 55

Sniffing - device or software that collects all information transmitted over the medium

Emanating - electromagnetic signals that are emitted by electronic device. TEMPEST by US and UK researches ways to limit this

Backdoor / Trapdoor - mechanism implemented in devices that give user root access to it

Question 56

Define a security domain

Answer 56

a domain that’s managed by the same group using the same security policy

A security domain builds upon the definition of a domain (set of resources available to a subject) by adding that the resources within the domain are working under the same security policy and managed by the same group

Different domains are separated by logical boundaries like firewalls, directory services, etc.

Question 57

Does TACACS+ use TCP and encrypt all data between client and server?

Answer 57

yes

Question 58

Does RADIUS only encrypt the password?

Answer 58

yes

Question 59

Are Attribute Value Pairs (AVP’s) constructs that outline how entities will communicate?

Answer 59

yes

They are not protocol parameters

Question 60

Is time synchronization a characteristic of counter-based token devices?

Answer 60

no

Counter-based means that the server and token share the same list of access codes and secret key. The secret key encrypts the access cord, which is the one time password the user enters for authentication

Question 61

At a trade show, is a constrained user interface a good way to prevent test users from gaining elevated privileges at a demonstration system?

Answer 61

yes

Question 62

What type of token uses a challenge-response system?

Answer 62

Asynchronous

Server sends a challenge (nonce), user puts it into token which encrypts it and returns a value used as the one-time password

Question 63

If you get several brute force attempts, is reducing the clipping level a good solution?

Answer 63

yes

In this case, the clipping level is the number of allowed failed login attempts before locking out the account.

Question 64

Are behavioral biometrics more or less accurate than physical attributes?

Answer 64

less. They can change over time

Question 65

What is a virtual password?

Answer 65

the length and format required by the application