Ch. 14: Controlling and Monitoring Access

Question 1

Permissions, Rights and Privileges

Answer 1

Permissions: Access granted for an object that determine what you can do with that access

Rights: the ability to take an action on an object; very similar to permissions but you’ll rarely see a permission with the right to take action

Privileges: combination of rights and permissions e.g. an admin will have full privileges granting the admin full rights and permissions on the computer

Question 2

Authorization Mechanisms

Answer 2

Implicit Deny ensures that access to an object is denied unless access has been explicitly granted to the subject

Access Control Matrix: a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks the access control matrix to determine if the subject has appropriate privileges to perform the action. For example, an ACM can include a group of files as the objects and a group of users as subjects; it will show the permissions authorized by each user for each file. FYI, this is different than an access control list - each file within the matrix has a separate ACL that lists the authorized users and their assigned permissions.

Capability Tables: will lists all objects that a specific subject role has access to and will include a list of all objects that the accounting role can access and will include the specific privileges assigned to the accounting role for these objects - different from ACLs because they are focused on objects

Constrained Interface: applications use constrained/restricted interfaces to restrict what users can do or see based on their privileges. Applications constrain the interface using different methods e.g. hiding the capability if the user doesn’t have permissions to use it or commands that are available to the admin but not to regular accounts

Content-Dependent Control: restrict access to data based on the content within an object e.g. a database view which retrieves specific columns from one or more tables, creating a virtual table. An example can be a customer table with all their PII - the customer view can only see the first and last name columns.

Context-Dependent Control: require specific activity before granting users access e.g. the data flow for a transaction selling digital products e.g. dataflow of a transaction. A user adds digital products to the cart, the next page collects CC data, the last page confirms the purchase and provides instructions for downloading the digital content. The system will deny access to the download page if the users don’t go through the purchase process first. You can also restrict access to computers and applications based on the current day and/or time. If users attempt to access the resources outside the allowed time, the system denies them access.

Need to Know: subjects are granted access only to what they need-to-know for their work tasks and job functions. Subjects may have clearance to access classified or restricted data but are not granted authorization to the data unless they actually need to do their job.

Least Privilege: ensures that subjects are granted only the privileges they need to perform their work functions. The different of this and need to know is that least privilege will also include rights to take action on a system

Separation of Duties and Responsibilities: ensures sensitive functions are split into tasks performed by two or more employees. This helps prevent fraud and errors by creating a system of checks and balances.

Question 3

Defense in Depth

Answer 3

Multiple layers of access controls to provide layered security e.g. Physical access controls > logical access controls > administrative access controls

Important Points:

• security policies (administrative access control) defines security requirements.
• personnel need proper training and education to implement, comply with, and support security elements defined in the policy.
• a combination of administrative, technical and physical access controls provides a much stronger defense - using only one can result in weaknesses that attackers can discover and exploit

Question 4

Summary of 5 Access Control Models

Answer 4

1. Discretionary Access Control: every object has an owner, and the owner can grant or deny access to any other subjects. NTFS (New Technology File System) used on MS windows uses DAC
2. Role Based Access Control: users are added to roles (usually by job description) and an admin assigns privileges to those roles. When a user is added to that role, they have all the privileges they need
3. Rule-based Access Control: global rules that apply to all subjects e.g. a firewall uses rules that allow or block traffic to all users equally - the rules are sometimes called restrictions or filters.
4. Attribute Based Access Control: rules can include multiple attributes making it much more flexible than RuBAC. It also allows admin to create rules with plain language names
5. Mandatory Access Control: labels applied to both subjects and objects that grant access according to the privileges set to that label. The subject and the object they are trying to access have the same label (sometimes called the lattice-based model).

Question 5

Discretionary Access Controls

Answer 5

DAC Model: an object has an owner that determines to who and how access can be assigned

It’s implemented using access controls (ACLs) on objects.

• each ACL defines the types of access granted or denied to subjects - it does not offer a centrally managed system bc owners can change the ACLs on an object at their own will.
• Access to objects is easy to change, especially when compared to mandatory access controls
• Microsoft Windows uses DAC models and ACLs

Administrators can easy suspend user privileges while they are away like on vacation, and disable terminated employee accounts

Question 6

Nondiscretionary Access Controls

Answer 6

The main difference between discretionary and nondiscretionary are how they are controlled and managed

• administrators centrally administer access controls and can make changes globally
• access does not focus on user identity, rather on static rules to govern the entire environment

Question 7

Access Control: Risk Elements

Answer 7

Risk: the likelihood that a threat will exploit a vulnerability resulting in a loss such as harm to an asset

Threat: potential occurrence that can result in an undesirable outcome which can include intentional, unintentional or

Question 8

Access Control: Risk Elements

Answer 8

Risk: the likelihood that a threat will exploit a vulnerability resulting in a loss such as harm to an asset

Threat: potential occurrence that can result in an undesirable outcome which can include intentional, unintentional or natural disasters

Vulnerability: any type of weakness, which could be due to a flaw or limitation in hardware or software, or the absence of a security control such as lack of antivirus

Risk Management: attempts to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls or countermeasures. The focus is on reducing the risk since you can’t eliminate risk

• identifying assets
• identifying threats
• identifying vulnerabilities

Question 9

Identifying Assets

Answer 9

Asset Valuation: identifying the actual value of assets with the goal of prioritizing them, which is more than just the purchasing price e.g. loss of revenue if it fails. It’s especially important to determine the value of data,

Cost-Benefit Analysis: uses the value to determine the cost-effectiveness of different types of security controls. Orgs will spend good money to protect high value assets, and accept risks with low-value assets

Question 10

Identifying Threats

Answer 10

Threat Modeling: the process of identifying any possible threats to valuable systems with the goal to identify a potential list of threats to systems and analyze the threats, which can include natural disasters.

Threat Modeling processes focused on access controls would attempt to identify any potential threats that can bypass access controls and gain unauthorized access to a system

Question 11

Advanced Persistent Threat

Answer 11

Advanced Persistent Threats (ATPs): is a group of attackers who are working together and are highly motivated with advanced knowledge and a wide variety of skills to detect and exploit vulnerabilities, and focus on one specific target. They can be funded by state nations/governments OR criminal gangs.

Question 12

Threat Modeling Approaches

Answer 12

Asset Focused: uses asset valuation to identify threats to valuable assets, and if they contain valuable data, they will look for threats specifically bypassing authentication or authorization mechanisms.

Attack Focused: focuses on attackers in attempts to identify their goals, which they can use this knowledge to protect relevant assets

Software Focused: focuses on threats against software

Question 13

Identifying Vulnerabilities

Answer 13

Vulnerability Analysis: occurs after identifying assets and threats, and attempts to discover weaknesses in these systems and access controls against potential threats

Risk analysis will often include vulnerability analysis by evaluating systems and the environment against threats and vulnerabilities

Question 14

Access Control Attacks

Answer 14

Access aggregation attacks: collecting multiple pieces of non-sensitive information to combine it to learn sensitive information e.g. multiple facts about a system (IP, open ports, running systems, operating systems). You can combine defense-in-depth, need-to-know, and least privilege helps prevent access aggregation attacks

Password Attacks: since passwords are the weakest form of authentication, many password attacks are available. A strong password helps prevent passwords attack, and the longer the password the better. Passwords should not be stored in plaintext, instead hashed using a strong hash function like SHA-3. Default passwords should also be changed

Question 15

Password Attacks

Answer 15

Dictionary Attacks: an attempt to discover passwords by using every possible password in a predefined database of common or expected passwords. These attacks also scan for one-upped-constructed passwords which are previously used passwords with one character different

Brute Force Attacks: programmatically attempting every combo of numbers, letters, etc. A hybrid attack is is a dictionary attack AND then brute-force attack. Many hackers use GPUs instead of CPUs for the additional computing power

Birthday Attacks: focuses on finding collisions stemming from birthday paradox - if there are 23 people in a room, there is a 50% chance that any two of them will have the same birthday. You can reduce the chances of birthday attacks by making hashes long enough to make collisions not feasible

Rainbow Table Attacks: a rainbow table reduces the amount of time it takes to guess a password, hash it, etc. by using large databases of precomputed hashes. A password cracker can compare every hash in the rainbow table against the hash in a stole password database file.

Question 16

Password Hashing Process

Answer 16

1. the user enters credentials such as a username and password
2. the user’s system hashes the password and sends the hash to the authenticating system
3. the authenticating system compares this hash to the hash stored in the password database file. If it matches, it indicates the user entered the right password

This way - passwords do not traverse the network in cleartext, which would make them susceptible to sniffing attacks and they are not stored in one database that is susceptible to attacks

(AKA comparative analysis) However, password attacker tools look for a password that creates the same hash value as an entry stored in the account database file using the following steps:

1. guess a password
2. calculate the hash of the password
3. compare the calculated hash against the stored hash in the offline database.
4. Repeat steps 1 through 3 until a guessed password has the same hash as a stored password

Two passwords having the same hash cause collisions and are nearly impossible however, MD5 hashing is not collision free and therefore shouldn’t be used for password hashing