Access Control

Question 1

Authentication

Answer 1

Are you actually who you say you are? This is typically done with passwords, but we have several factors that can (and should) be used for more secure authentication.

Question 2

Authorization

Answer 2

Are you allowed to do what you are trying to do? Simply, authorization is the process of enforcing policies (i.e., determining what sorts of computing resources a user is allowed to use).

Question 3

Accounting

Answer 3

What happened and when? Here we measure what resources a user used, how much data was sent, what time it was sent, and more. All of this is done through the logging of data.

Question 4

AAA Framework

Answer 4

• Identification
—This is who you claim to be
—Usually your username
• Authentication
—Prove you are who you say you are
—Password and other authentication factors
• Authorization
—Based on your identification and authentication, what access do you have?
•Accounting
—Resources used: Login time, data sent and received, logout time

Question 5

Multi-factor authentication

Answer 5

• More than one factor 
—Something you are 
—Something you have 
—Something you know 
—Somewhere you are 
—Something you do 
• Can be expensive 
—Separate hardware tokens 
—Specialized scanning equipment 
• Can be inexpensive 
—Free smartphone applications

Question 6

Something you are

Answer 6

• Biometric authentication 
—Fingerprint, iris scan, voiceprint 
• Usually stores a mathematical 
representation of your biometric 
—Your actual fingerprint isn't usually saved 
• Difficult to change 
—You can change your password 
—You can't change your fingerprint 
• Used in very specific situations 
— Not foolproof

Question 7

Something you have

Answer 7

• Smart card 
—Integrates with devices 
—May require a PIN 
• USB token 
—Certificate is on the USB device 
• Hardware or software tokens 
—Generates pseudo-random authentication codes 
•Your phone 
—SMS a code to your phone

Question 8

Something you know

Answer 8

• Password 
—Secret word/phrase, string of characters 
—Very common authentication factor 
• PIN 
—Personal identification number 
— Not typically contained anywhere 
on a smart card or ATM card 
pattern 
—Complete a series of patterns 
—Only you know the right format

Question 9

Somewhere you are

Answer 9

• Provide a factor based on your location
—The transaction only completes
if you are in a particular geography
• IP address
—Not perfect, but can help provide more info
—Works with IPv4, not so much with IPv6
• Mobile device location services
—Geolocation to a very specific area
—Must be in a location that can receive GPS information
or near an identified mobile or 802.11 network
—Still not a perfect identifier of location

Question 10

Something you do

Answer 10

•A personal way of doing things 
—You're special 
• Handwriting analysis 
—Signature comparison 
—Writing technique 
•Typing technique 
—Delays between keystrokes 
• Very similar to biometrics 
—Close to something you are

Question 11

Federation

Answer 11

• Provide network access to others 
— Not just employees 
—Partners, suppliers, customers, etc. 
•Third-parties can establish 
a federated network 
—Authenticate and authorize 
between the two organizations 
—Login with your Facebook credentials 
•The third-parties must 
establish a trust relationship 
—And the degree of the trust

Question 12

Single sign-on (SSO)

Answer 12

•Authenticate one time 
—Gain access to everything! 
• Saves time 
—A seamless process 
—End-user doesn't see any of 
   the complexities under the surface 
• Many different methods 
—Kerberos authentication and authorization 
— 3rd-party options

Question 13

Transitive trust

Answer 13

•Trust relationships need to be established early
—Difficult to change once in place
• One-way trust
—Domain B trusts Domain A, Domain A doesn’t trust Domain B
• Two-way trust
—Both domains are peers, both trust each other equally
• Non-transitive trust
—A trust is specifically created and applies only to that domain
• Transitive trust
—Domain A trusts Domain B, Domain B trusts Domain C,
therefore Domain A trusts Domain C

Question 14

Access control

Answer 14

There are many different way to assign user rights and permissions to files, folders, and other objects.• Authorization 
—The process of ensuring only 
authorized rights are exercised 
• Policy enforcement 
—The process of determining rights 
• Policy definition 
• Users receive rights based on 
    Access Control models 
—Different business needs 
    or mission requirements

Question 15

Mandatory Access Control (MAC)

Answer 15

•The operating system limits 
the operation on an object 
—Based on security clearance levels 
• Every object gets a label 
—Confidential, secret, top secret, etc. 
• Labeling of objects uses 
predefined rules 
—The administrator decides who 
gets access to what security level 
—Users cannot change these settings

Question 16

Discretionary Access Control (DAC)

Answer 16

• Used in most operating systems 
—A familiar access control model 
•You create a spreadsheet 
—As the owner, you control who has access 
—You can modify access at any time 
• Very flexible access control 
—And very weak security

Question 17

Role-based access control (RBAC)

Answer 17

•You have a role in your organization
—Manager, director, team lead, project manager
• Administrators provide access
based on the role of the user
—Rights are gained implicitly instead of explicitly
• In Windows, use Groups to
provide role-based access control
—You are in shipping and receiving,
so you can use the shipping software
—You are the manager, so you can review shipping logs

Question 18

Attribute-based access control (ABAC)

Answer 18

• Users can have complex relationships 
to applications and data 
—Access may be based on many different criteria 
• ABAC can consider many parameters 
—A "next generation" authorization model 
—Aware of context 
• Combine and evaluate 
multiple parameters 
—Resource information, IP address, 
time of day, desired action, 
relationship to the data, etc.

Question 19

Rule-based access control

Answer 19

• Generic term for following rules 
—Conditions other than who you are 
• Access is determined through system-enforced rules 
—System administrators, not users 
• The rule is associated with the object 
—System checks the ACLs for that object 
• Rule examples 
—Lab network access is only available 
    between 9 AM and 5 PM 
—Only Chrome browsers may 
    complete this web form

Question 20

File system security

Answer 20

• Store files and access them 
—Hard drive, SSDs, flash drives, DVDs 
— Part of most operating systems 
• Accessing information 
—Access control list 
—Group/user rights and permissions 
—Can be centrally administered and/or 
users can manage files they own 
• Encryption can be built-in 
—The file system handles 
encryption and decryption

Question 21

Database security

Answer 21

• Databases have their own access control
—Username, password, permissions
• Encryption may be an option
— Most databases support data encryption
• Data integrity is usually an option
—No data is lost because of a fault
—Part of the database server operation
• Applications can provide a secure front-end
—Prevent SQL injections and
inappropriate access to data

Question 22

Proximity cards

Answer 22

• Close range card 
—Contactless smart card 
• Passive device 
—No power in the card 
— Powered from the reader 
• Not a large data storage device 
—Often used as an identifier 
— Keycard door access, library cards, 
    payment systems 
—The identifier is linked to 
    data stored elsewhere

Question 23

Smart Cards

Answer 23

• Integrate circuit card
Contact or contactless
	• Common on credit cards
Also used for access control
	• Must have physical card
To provide digital access
A digital certificate
	• Multiple Factors
Use the card for a PIN or fingerprint

Question 24

Biometric factors

Answer 24

• Fingerprint scanner 
—Phones, laptops, door access 
• Retinal scanner 
—Unique capillary structure in the back of the eye 
• Iris scanner 
—Texture, color 
• Voice recognition 
—Talk for access 
• Facial recognition 
—Shape of the face and features

Question 25

Biometric acceptance rates

Answer 25

• False acceptance rate (FAR)
—Likelihood that an unauthorized user will be accepted
—This would be bad
• False rejection rate ( FRR)
—Likelihood that an authorized user will be rejected
—No, it’s really me
— Let’s try again
• Crossover error rate (CER)
—The rate at which FAR and FRR are equal
—Adjust sensitivity to equalize both values
—Used to quantitatively compare biometric systems

Question 26

Token generators

Answer 26

• Pseudo-random 
token generators 
—A useful authentication factor 
• Carry around a physical 
hardware token generator 
—Where are my keys again? 
• Use software-based 
token generator 
on your phone 
—Powerful and convenient

Question 27

HOTP

Answer 27

• One-time passwords
—Use them once, and never again
—Once a session, once each authentication attempt
• HMAC-based One-Time Password algorithm
—Keyed-hash message authentication code (HMAC)
—The keys are based on a secret key and a counter
•Token-based authentication
—The hash is different every time
• Hardware and software tokens available
—You’ll need additional technology to make this work

Question 28

TOTP

Answer 28

•Time-based One-Time Password algorithm
—Use a secret key and the time of day
—No incremental counter
• Secret key is configured ahead of time
—Timestamps are synchronized via NTP
•Timestamp usually increments every 30 seconds
—Put in your username, password, and TOTP code
• One of the more common OTP methods
—Used by Google, Facebook, Microsoft, etc.

Question 29

Certificate-based authentication

Answer 29

• Smart card
—Private key is on the card
• PIV (Personal Identity Verification) card
—US Federal Government smart card
—Picture and identification information
• CAC (Common Access Card)
—US Department of Defense smart card
—Picture and identification
• IEEE 802.1X
—Gain access to the network using a certificate
—On device storage or separate physical device