ch 12 Flashcards
Granting or denying approval to use specific resources
• Access Control
Consists of fencing, hardware door locks, and mantraps to limit contact with devices
Physical access control
Consists of technology restrictions that limit users on computers from accessing data
Technical access control
what is it called when Presenting credentials
Identification
what is it called when Checking the credentials
Authentication
what is it called when Granting permission to take action
Authorization
A record that is preserved of who accessed the network, what resources they accessed, and when they disconnected
Accounting
A specific resource
Object
A user or process functioning on behalf of a user
Example: computer user
Subject
The action taken by the subject over an object
Example: deleting a file
Operation
Standards that provide a predefined framework for hardware or software developers
Use the appropriate model to configure the necessary level of control
Access control model
(D A C)
• Discretionary Access Control
Least restrictive model
Every object has an owner
Owners have total control over their objects
Owners can give permissions to other subjects over their objects
• Discretionary Access Control (D A C)
• (M A C)
Mandatory Access Control
Most restrictive access control model User has no freedom to set any controls or distribute access to other subjects
Typically found in military settings
• (M A C) Mandatory Access Control
Every entity is an object and is assigned a classification label that represents the relative importance of the object
Labels
a hierarchy based on the labels is used
Levels
grants permissions by matching object labels with subject labels
M A C
(B L P)
Bell-LaPadula
(M I C)
Mandatory Integrity Control
(U A C)
User Access Control
- a Windows feature that controls user access to resources
User Access Control (U A C)
(RBAC)
Role Based Access Control
Also called Non-Discretionary Access Control
Access permissions are based on user’s job function
(RBAC) Role Based Access Control
(RBAC)
Rule-Based Access Control
Dynamically assigns roles to subjects based on a set of rules defined by a custodian
Each resource object contains access properties based on the rules
(RBAC) Rule-Based Access Control
When initially setting up an account, take these into consideration:
Employee accounts Creating location-based policies Establishing standard naming conventions Creating time-of-day restrictions Enforcing least privilege
Employee On-boarding steps:
Scheduling Job duties Socializing Work space Training
Employee offboarding Steps
Exit interview
Back up all employee files from local computer and server
Archive email
Forward email to a manager or coworker
Hide the name from the email address book
- user accounts that remain active after an employee has left
Orphaned accounts
an account that has not been accessed for a lengthy period
Dormant account
relies upon location-based policies
Or establishing the geographical boundaries of where a mobile device can and cannot be used
Geofencing
Means that only the minimum amount of privileges necessary to perform a job or function should be allocated
• Least Privilege
the process of periodically revalidating a user’s account, access control, and membership role
Recertification
intended to examine the permissions that a user has been given to determine if each is still necessary
Permission auditing and review
– an audit process that looks at the applications that the user is provided, how frequently they are used, and how they are being used
Usage auditing and review
• Best Practices for Access Control
Separation of duties
Job rotation
Mandatory vacations
Clean desk policy
the process should be divided between two or more individuals
• Separation of Duties
Limits amount of time individuals are in a position to manipulate security configurations
Helps expose potential avenues for fraud
• Job Rotation
Limits fraud, because perpetrator must be present daily to hide fraudulent actions
• Mandatory Vacations
Designed to ensure that all confidential or sensitive materials are removed form a user’s workspace and secured when the items not in use
• Clean Desk Policy
(A C L s)
Access control lists
A set of permissions attached to an object
Access control lists (A C L s)
Each entry in the A C L table is called
access control entry (ACE)
(SID)
Security identifier
for the user or group account or logon session
Security identifier (SID)
Permits the configuration of multiple computers by setting a single policy for enforcement
Group-based access control
(A D)
Active Directory
A Microsoft Windows feature that provides centralized management and configuration of computers and remote users using
Active Directory (A D)
(G P O s)
Group Policy Objects
Usually used in enterprise environments
Settings stored in
Group Policy Objects (G P O s)
(L G P)
Local Group Policy
Has fewer options than a Group Policy
Used to configure settings for systems not part of A D
Local Group Policy (L G P)
• R A D I U S
Remote Authentication Dial In User Service
Developed in 1992
Became an industry standard
Originally designed for remote dial-in access to a corporate network
• R A D I U S
Typically a device such as a wireless A P
Responsible for sending user credentials and connection parameters to the RADIUS server
R A D I U S client
Authentication system developed at M I T
Uses encryption and authentication for security
Works like using a driver’s license to cash a check
• Kerberos (Tickets) (SSO)
Symmetric based encryption
Originally DES now AES, 3DES
Uses the Diffe-Hellman key agreement
Requires mutual authentication
(T A C A C S +)
• Terminal Access Control Access Control System
Authentication service similar to R A D I U S
Commonly used on UNIX devices
Communicates by forwarding user authentication information to a centralized server
(T A C A C S +)
(L D A P)
• Lightweight Directory Access Protocol
A directory service is a database stored on a network
Contains information about users and network devices
Keeps track of network resources and user’s privileges to those resources
• Lightweight Directory Access Protocol (L D A P)
Designed to run over T C P/I P
A simpler subset of D A P
Encodes protocol elements in simpler way than X.500
L D A P
Weakness of L D A P
Can be subject to L D A P injection attacks
Similar to S Q L injection attacks
Occurs when user input is not properly filtered
S A M L
E-COMMERSE
• Security Assertion Markup Language
An Extensible Markup Language (X M L) standard that allows secure web domains to exchange user authentication and authorization data
S A M L
• Security Assertion Markup Language
(C H A P)
Challenge-Handshake Authentication Protocol
(M S - C H A P)
The Microsoft version of C H A P
(P A P)
Password Authentication Protocol
(E A P)
Extensible Authentication Protocol
Defines the format of the messages
Uses four types of packets:
Request, response, success, and failure
E A P:
