Access Control - Domain 1 Flashcards
Q
A
What do Access Control mechanisms protect against?
Protect information and resources from unauthorized disclosure, modification and destruction.
What do Access Control mechanisms defend against?
The defend against unauthorized entry, access and use.
Three main types of Access Control Mechanisms:
Physical, Administrative, and Technical.
What do Administrative Controls do in Access Control:
Develop policies, standards and procedures. Screen personal, security awareness training, monitoring system and network activity, and change control.
What do Technical Controls do in Access Control:
Logical mechanisms that provide password and resource management, identification and authentication, and software configurations.
What do Physical Controls do in Access Control:
Protect individual systems, the network, employees, and the facility from physical damage.
What are the 8 Access control administrative controls?
- Develop a security program. 2. Determine compliance levels and consequences of non-compliance. 3. Indicate who has authorized access and who is unauthorized. 4. Classifying data and enforcing the necessary protection required for that classification. 5. Developing policies and standards and enforcing them when they are broken. 6. Developing an incident response team. 7. Developing a business continuity and disaster recovery plan. 8. Operational and continuity testing.
What are the 5 Access control technical controls?
- Implement access control - requiring users to authenticate before accessing a system or data. 2. Encrypting data where it is stored or transmitted, 3. Implement firewalls and IDS. 4. Fault tolerance and load balancing. 5. Auditing.
What are the 5 Access control physical controls?
- Locks and alarms on doors.2. Security guards watching for suspicious individuals and activities. 3. IDS to physical protect the facility. 4. Removing floppy drives so information cannot be copied and brought out of a building. 5. Storing backup data in a fire proof safe and/or at an offsite facility.
What are the 7 Access Control types/categories:
- Preventative. 2. Detective. 3. Corrective. 4. Deterrent. 5. Recovery. 6. Compensation. 7.Directive.
What are the 4 Preventative-Administrative control combinations?
- Policies and procedures. 2. Pre-employment background checks. 3. Data classification and labeling. 4. Security awareness.
What are the 3 Preventative-Physical control combinations?
- Badges and swipe cards. 2. Guards, dogs, motion detectors, CCTV. 3. Fences, locks, man traps, alarms.
What are the 3 Preventative-Technical control combinations?
- Passwords, biometrics, smart cards. 2. Encryption, protocols, call-back systems, database views, constrained user interface. 3. Anti-virus software, ACL’s, firewalls, routers, slipping levels.
What are the 4 Detective-Administrative control combinations?
- Job rotation. 2. Sharing responsibilities. 3. Inspections. 4. Incident response.
What are the 3 Detective-Technical control combinations?
- IDS. 2. Reviewing audit logs. 3. Reviewing violations of clipping levels.
What is the Detective-Physical control combination?
Human evaluation of output from sensors or cameras.
Access control definitions - Subject:
Active entity that requests access to an object or the data within an object.
Access control definitions - Object:
Passive entity that contains information.
Access control definitions - Access:
Ability of subject to do something.
Access control definitions - Access Control:
Security features that control how subjects and objects communicate and interact with other subjects and objects.
Access Control - Identification
Identifying the subjects using username, smart card or memory card.
Access Control - Authentication
Proving the subject is who it claims to be with a second piece of a credential set.
Access Control - Authorization
Granting access to resources based on a criteria.
Access Control - Accounting
Keeping records of activity.
Access Control - Authenticating a subject
A subject must prove its identity.
Access Control - Authentication types
- Something you know. 2. Something you have. 3. Something you are.
Access Control - TFA
Strong authentication employs two out of the three authentication types.
Access Control - Mutual authentication
Two-way authentication.
Access Control - What are the five things a user knows?
- Password. 2. Personal history. 3. Passphrase. 4. PIN. 5. Graphical.
Access Control - Password characteristics
- Cheapest lest secure, most widely used authentication technology. 2. Least secure because users choose easy passwords, share them, write them down, or do not change them. 3. Lack of strict password policy enforcement reduces security. 4. Password generators can create complex passwords, but users will just write them down.
Access Control - Password best practices
- Use at least 8 characters - alphanumeric/upper and lower case. 2. User should not be able to reuse password or share it. 3. Threshold (clipping level) of acceptable number of failed logins logged. 4. Audit log should contain date, time, userid, and workstation logged in from. 5. Password lifetime should be short, but practical.
Access Control - Password type - Cognitive
- Fact or opinion based information used to verify an individuals identity. 2. Enrollment phase includes questions about one’s life. 3. Easier to remember than a password.
Access Control - Authentication mechanism - Passphrase
- A sequence of characters longer than a password. 2. Once entered, the software transforms it into a virtual password. 3. Usually easier for a user to remember.
Access Control - Type 2 Authentication
- Token device. 2. Cryptographic keys. 3. Memory cards. 4. Smart cards.
Access Control - OTP generators
- Dynamic password that is good for only one time. 2. Useless if an attacker obtains password. 3. Usually created via token device.
Access Control - Synchronous OTP
- Synchronizes with the authentication device by using time or an event as the core piece of the authentication process.
Access Control - Asynchronous OTP
Challenge response scheme to communicate with the authentication service.
Access Control - Token - cons
- Can be lost. 2. Schemes can fall prey to masquerading if the user shares information.
Access Control - Token- pros
- Not as vulnerable to electrical eavesdropping, replay attacks, and password guessing. 2. Provides a higher level of protection than static passwords.
Authentication Mechanism - Crypto Keys
- Private or digital signature can be used to prove ones identity. 2. Used when more security is required.
Authentication Mechanism - Memory Card
- Card holds user authentication information. 2. User puts card in reader and enters USN and PIN. 3. Card only holds information, doesn’t process it. 4. Added cost of reader, card creation, and maintenance.
Authentication Mechanism - Smart Card
- Has a microprocessor. 2. Tamperproof mobile storage of user authentication data. 3. Can work with PKI to provide mutual authentication of parties. 4. After a threshold of failed login attempts, it can render itself unusable.