Access Control Flashcards
Access Control Concepts
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Prevents disclosure of data
Integrity
Ensures data is protected from corruption or unauthorized modification
Availability
Ensures data accessible when and where it’s needed
Access Control Concepts
Default Stance (default allow or default deny)
Defense in Depth
Default stance is either an allow by default, or deny by default
Deny by default is recommended because it’s stricter
Defense in depth is the practice of using layers of security between the data and the resources it resides on, and attackers
Access Control Process
Identify Resources, Users, Relationships between them
ID resources which need protection How are they accessed Which data on the resources will be accessed Who will be accessing this data
ID Users
Document user levels and needs
Analyze needs against organizational polices, legal issues, data sensitivity and risk
Identification and Authentication
Identification
act of user professing an identity, ie a user ID or username
authentication
validating a user with a unique identifier by providing credentials like a password
3 Factors for Authentication
Knowledge
Ownership
Characteristic
Knowledge - something user knows, ie password
Ownership - something user possesses - smartcard
Characteristic - something a person is
Knowledge Factors (Type 1 Factor)
Most popular form is a password
Also includes birthday, PIN, mother’s maiden name
If knowledge factor is used, identity (account) and password word management are crucial
Identity and Account Management
5 elements of proper account management
Establish formal process for establishing, issuing, closing user accounts
Periodically review user accounts
Implement process for tracking access authorization
Periodically prescreen personnel in sensitive positions
Periodically verify legitimacy of user accounts
Password Types and Management
Standard Combination Static Complex Passphrase
Standard - single words
Combination (composition)- mix of two unrelated words
Static - remains same for each login. Most often seen in P2P networks
Complex - mix of upper, lowercase letter, numbers, special characters
Passphrase - a long phrase
Password Types and Management
Cognitive
One Time Passwords (dynamic)
Graphical
Numeric
Cognitive - piece of information, usually a series of questions based on user’s life (first car, favorite color)
OTP - only used once
Graphical - uses pictures, like CAPTCHA
Numeric - only has numbers, easier to guess because possibilities are known
Password Policies
Password Life Password history Authentication period - how long user can stay logged in Password complexity Password length
Password Types and Management
(Knowledge Factors)
password locations and default accounts
Linux, UNIX
Windows
/etc/passwd
/etc/shadow (protected)
root account
c:\windows\system32\config\SAM
administrator and guest accounts
Password Types and Management
Ownership Factors, Type 2 authentication factor
Tokens
Memory Cards
Memory Cards
Smart Cards
Synchronous token generates unique password at fixed time intervals with the authentication server
Asynchronous token generates password based on challenge/response, with token generating correcting response to server’s challenge
Memory card is a card containing authentication information
Smart Cards - contain a chip
contact cards require physical contact
contactless cards / proximity cards
hybrid cards are both contact and contactless
Password Types and Management
Characteristic Factors, Type 3 authentication factor
Biometrics
Physiological Characteristics
Behavioral Characteristics
Physiological - unique attributes of the user: iris, fingerprints, etc
Behavioral - measure actions: voice patterns, data entry characteristics
Types of physiological factors
fingeprint
finger scan
hand geometry - size, shape, finger length
hand topography - peaks, valleys, shape of hand
palm or hand scan
facial scan - bone structure, eye width, etc
retina scan - retinal blood vessel pattern
iris scan - scans colored portion of eye, rifts, coronas, furrows
vascular scans - pattern of veins in hand or face
Behavioral Characteristics
Signature dynamic
stroke speed, pen pressure, acceleration, deceleration
Keystroke dynamics
measures typing pattern when inputting password or predetermined phrase
Voice Pattern or print
measures sound pattern of user stating certain word
Biometric Considerations
Enrollment Time Feature Extraction Accuracy Throughput Rate Acceptability
Enrollment Time
Process of obtaining sample used by biometric system
Feature Extraction
approach to obtaining biometric info from user
Accuracy
most important characteristics of biometric systems
Throughput Rate
Rate that system can scan characteristics and complete the analysis to permit / deny
Acceptability
Likelihood that users will accept and follow the system
Biometric Considerations
(FRR) False Rejection Rate
Type 1 Error
(FAR) False Acceptance Rate
Type 2 Error
(CER) Crossover Error Rate
FRR - Measurement of valid users that will be falsely rejected by the system. Type 1 Error
FAR - Measurement of percentage of invalid users that will be falsely accepted by the system. Type 2 Error
CER - Point where FRR = FAR
This is the most important metric. Expressed as a percentage
Authorization Concepts
Access Control policy
Separation of Duties
Access Control policy defines methods for identifying and authenticating users and the level access granted to them
Separation of Duties
Prevents fraud by distributing tasks and their rights and privilege between more than one user.
1. Dual Controls
2. Split Knowledge - no single user has all knowledge to perform certain task. ie one bank officer half combination, other officer knows other.
Authorization Concepts
Principle of Least Privilege
Need to Know Principle
Principle of Least Privilege
Requires user or process has only minimum privileges needed to do a certain task
Need to Know Principle
defines the minimums for each job or function
Authorization Concepts
No Access
Directory Service
SSO (Single Sign-On)
No Access is recommended default level of access
Directory Service - database for centralizing data management for network subjects and objects
- X.500
- LDAP
- X.400
SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)
Authorization Concepts
No Access
Directory Service
SSO (Single Sign-On)
No Access is recommended default level of access
Directory Service - database for centralizing data management for network subjects and objects
- X.500
- LDAP
- X.400
SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)
Any directory service should provide a single sign on
Authorization Concepts
Kerberos
authentication protocol using a client server model
default authentically model for Windows Server and used in Apple, Sun, Linux
Uses symmetric key cryptography, provides integrity and confidentiality
KDC (Key Distribution Center) is repository for all user and service secret keys
Kerberos Process
4 Steps
- User access KDC
- KDC gives TGT (Ticket Granting Ticket)
- User gives TGT to Resource Server
- Resource Server provides access
Authorization Process
Security Domain
set of resources that follow same security policies and are available to a subject
Domains usually arranged in hierarchal structure of parent and child domains
Federated Identity
portable identity that can be used across organizations
Each organization that joins federation agrees to enforce common policies and standards
Cross-Certification Model
each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards
Trusted third party or bridge Model
Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations
Federated Identity
2 Models that it’s based on
Cross Certification
Trusted Third-Party
portable identity that can be used across organizations
Each organization that joins federation agrees to enforce common policies and standards
Cross-Certification Model
each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards
Trusted third party or bridge Model
Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations