Chapter 1 - Access Control Flashcards
Access Controls encompass all operational levels of an organization.
Facilities; Support Systems; Information Systems; and Personnel
C-I-A
Confidentiality, Integrity and Availability
Two Philosophies for Access Control
Allow by Default and Deny by Default
Defense in Depth Strategy
Applying multiple layers of security protection between an information resource and a potential attacker.
Three step process for determining access controls
- Defining Resources 2. Determining Users 3. Specifying the Users use of the resources
Consistent Access Control Strategy
Simplicity is the key to an effective security system.
Separation of Duties
Primary Objective is the prevention of fraud and errors. Distributing tasks and associated privileges for a specific process among multiple people
Processes
Collection of tasks that must be performed to achieve an objective.
Applicabililtiy of Separation of Duties
Sensitivity of the function under consideration; and the elements within a function are prone to abuse, which are easily segmented, and what skills are available.
Least privilege
User is given no more access priviliege than necessary to perform a job, task, or function
Need to know
Defines the minimum needed to know to perform job function
Compartmentalization
Seperating groups of people and information such that each group is isolated and information does not flow between groups.
Security domain
Area where common process and security control work to separate all entities involved in these processes from other entities or security domains.
Information Classification
Objective is to group an organization’s information assets by levels of sensitivity and criticality.
Information Classification Program
- Determine objectives 2. Establish organizational support 3. Develop policy and supporting procedures 4. Develop process flows and procedures 5. Develop tools to support 6. Identify process and application owners 7. Identify information owners and delgates 8. Distribute standard templates 9. Classify information and applications 10. Develop auditing procedures 11. Load classification information into a central repository 12. Train users. 13. Periodically review and update information classifications.
Access Control System Requirements
Reliability, Transparency, Scalability, Integrity, Maintainability, Authentication Data Security, and Auditability
Main Categories of Access Control
- Directive - apply rules 2. Deterrent - discourage violations 3. Preventitive - prevent incident 4. Compensating - mitigate risk 5. Detective - signal warning when breached 6. Corrective - remedy circumstance 7. Recovery - restore conditions
Access Control Types
- Administrative Controls - define roles, responsibilities, policies, and administrative functions. 2. Logical (Technical) controls - electronic hardware and software solutions implemented to control access to information and information networks. 3. Physical Controls - protect physical environment - locks, gates, guards
Major Groups of Administrative Controls
- Policies and Procedures 2. Personnel Security, evaluation and clearances 3. Security policies 4. Monitoring 5. User management 6. Privilege management
BCP/DRP
Business continuity plan/disaster recovery plan
RADIUS
Remote Authentication Dial In User Service
Major Groups of Logical Controls
- Network Access 2. Remote Access 3. System Access 4. Application Access 5. Malware Control 6. Encryption
Discretionary Access Controls (DACS)
Controls placed on data by the owner of the data
Mandatory Access Controls (MACS)
Controls determined by the system and based primarily on organizational policy. Data needs to be labeled as to its classification. Access permissions are applied to an object based on the level of clearance given to a subject.
Nondiscretionary Access Control
Based on assignment of permissions as defined by the administrator of a system
Access Control Matrix
An access control list in the form of a table - showing what permissions a user has for various system objects.
Rule-based Access Control
Specifies the privileges granted to user s(e.g read, write) when the specific condition of a rule is met - e.g. the time a certain file can be accessed.
Role-based Access Control
Based on job function - objects associated with a role will inherit privileges assigned to that role
RBAC
Non-RBAC - user granted access Limited RBAC - users mapped to roles within a single application Hybrid RBAC-role applied to multiple applications or systems, but instances wheresubjects assigned to roles defined within an application FUll RBAS - roles defined by organizational policy
Content Dependent Access Control
Based on content of data not roles
Constrained User interface
Restricting users to specific functions based on their role in the system - e.g. limiting menus, data views, encryption, etc
Capability Tables
Used to match subjects and their capabilities - read, write
Temporal Isolation
Activities may be restricted on when they can be performed
Identification
Assertion of a unique identity for a person or system and is the starting point of access control. - Uniqueness
Authentication
The process of verifying the identity of the user - Validity
Authorization
Process of defining the specific resources a user needs and determining the type of assess to those resources the user may have. - Control
MAC Address
Media Access Control - 48-bit number - machine address - now can be set in software so no longer can be considered a strong identifier
IP Address
Logical location of a device on the IP network - assigned in software
RFID
Radio Frequency Identification - small label that can be embedded in almost any object - they can be read from a distance
Email Address
globally unique - enforced by convention
User Identification Guidelines
User identification must be unique; user identification should be non-descriptive and disclose as little as possible about the user; user identification must be secure; and the final process must be logged and documented so that it can be verified and audited.
Identity Management
refers to a set of technologies intented to offer greater efficiency in the management of a diverse user and technical environment
Challenges for Identity Management Solutions
Consistency; usability; reliability; and scalability
Centralized Access Control Systems
RADIOS and TACACS+(Terminal Access Controller Access-Control System Plus)
Authentication Methods
By knowledge (knows); by possession (has); by characteristic (is); and geolocation (where)
Single - factor authentication
user id and password
Two - factor authentication
user id, password, and fob
Three - factor authentication
user id, password, fob, and biometric
Secure passwords
typically hashed; a hash function takes an arbitrary amount of data as input and, through the use of a mathematical algorithm, will produce a unique, fixed-length representation of the data as output. Hash is a one-way function.
Authentication by Posession
Asynchronous token - challenge response technology; sychronous is based on an event, location, or time based sychronization between the requestor and the authenticator
Memory Card
Holds information but cannot process information. e.g users swipes card and enters a PIN. Data stored on the card is not protected.
Smart Card
Embedded semiconductor chip that accepts, stores and sends information.ICC (integrated circuit card). Based on ISO 7816-2 there are 8 electrical contacts - six are currently used. Can be used in Proximity of a reader.
Biometrics
Physical (finger print) and behavioral (voice pattern). Most common -finger prints. tend to provide higher security than other methods - higher strength
Hand Geometry
tension in the tendons, temperature, finger length, bone length, and hand width.
Palm Scans
combination of hand geometry and fingerprint analysis
Face Individuality
Iris, Retina (blood vessels back of the eye), entire face (facial geometry and heat signatures
Vascular Scan
veins in hands or face - relatively new
Keystroke Dynamics
stroke speed, acceleration, deceleration and pen pressure
False Reject Rate
when authorized users are falsely rejected
False Acceptance Rate
when unautorized users are falsely accepted
CER
Crossover Error Rate - amount to adjust sensitivity and maximul acceptable level of change - organization will need to determine based on its overall risk tolerance
Session Management
single instance of identification and authentication are applied to resources
Session hijacking
A form of “man in the middle” attack
Accountability
ability to determine who or what is responsible for an action and can be held responsible
Repudiation
is the ability to deny an action, event, impact or result
Password management
Require users to change passwords, lockout mechanisim, self-registration process aids
Account Management Systems
Central facility, workflow, automatic replication, facility for loading batch changes, automatic creation, change, or removal of access to system resources
Profile Management
collection of information associated witha particular identity or group.
Directory Management
centralized collection of user data
Directory Technologies
X.500, LightWeight Directory Access Protocol (LDAP), Active Directory and X.400
X.500
developed by the Interantional Telecommunications Union (ITU-IT) - initially worked with OSI to operates over TCP/IP as well. 4 protocols: Directory Access Protocol, Directory system protocol, directory information sharing protocol, and the directory operational binding management protocol. Hierarchial database with a key field of distinguished name (DN)
LDAP
Provides simpler implementation - hierarchial, operates in client/server architecture, typically runs over unsecured network using TCP port 389. Version 3 of LDAP - suports TLS to encrypt or use of TCP port 636 over an SSL connection
Active Directory
LDAP for Micorsoft-based environments, provides central authentication and authorization capabilities - organized in forest and trees - forest is a collection of all the objects and their associated attributes and trees are logical groupings of one or more AD security domains within a forest. Domains are identified by their DNS name. Objects are grouped by Organizational units.
X.400
ITU-T guidelines for exchange of e-mail - known as messaging handling system. Supports message transfer and message storage - supplanted in recent years by SMTP
Single Sign-on
SSO reduced sign-on or federated ID management - script based single sign-on - aids with leagacy technology
Kerberos
three-headed dog: authentication, authorization, and auditing. Security system using secret key cyrptography - users must have a unique ID for each application on the network. 4 requirements for access control - security, reliability, transparency, scalability. Based on symmetrical encryption and a secret key shared amongst the participants. Primary goal is to ensure private communiocations between systems over a network,
Kerberos Process
interaction between three systems: requesting system, the endpoint destination server, and the Kerberos or Key distribution center (KDC). Time-sensitive
KDC
serves two functions during the authentication transaction: as an authentication sever and as a ticket-granting server. Maintains database of the secret keys of all the participants
Realm key
a common key used for intitial trusted communication - then unique key is created to support future communications - common to use a hash of the user’s password as the unique user key
TGT
Ticket granting ticket - user will receive once authenticated with AS along with session encryption key
Secure European System for Application in a Multi-Vendor Environment (SESAME)
offers single sign-on services and uses both symmettic and asymmetric cryptographic techniques Key attributes: single sign-on,role based access control, use of privileged attribute certificate (PAC), use of Kerberos Version5 protocol to access SESAME components, use of public key cryptography for distribution of secret keys
Web Accessed Management
WAM - replace sign-on process in affiliated WEB applications, typically by using a plug-on service on the Web server hosting the portal to the member applications.
Federated Identity Managment
Each organization subscribes to a common set of policies, standards, and procedures for the provisioning and managment of user identification, authentication, and suthorization information, as well as a common process for access control for systems these users must access. Uses cross-certification model for trust but once it goes beyond a small number it becomes very complex. Use of a third party bridge model is an alternative to the cross-sertification model.The third party is considered trust worthy - good for a large number of organizations.
OIUA
once in unlimited access
Auditing Events
Network events, System events, Application events, User Actions, and Keystrole Activity
Unix System Keystroke Activity
logging files are found in the user’s $HOME directory with names like “.history”, “sh_history”
IDS
Intrusion detection system - part of a network device or dedicated device - does not take any action on the problem. Considered network monitoring
IPS
Intrusion prevention system - will take proactive prevention action - responds in real time to an event at the system or network layer. Considered an access control.
SIEM
Security Information and Event Management - aggregates information about access controls and selected system activity to store for analysis and correlation.
Denial of Service
DoS - consumption of resources preventing useful processesing and interrurption of network resources to preventing communication rendering a system unusable - SYN floods - attackers makes an overwhelming number of session initiation requests - TCP/IP protocol
Tear Drop
exploits how operating systems managed fragmented IP packets - overlap fragmented packets causing a flaw in the system - shutting it down
DDoS
Distributed denial of service - attacks a server from thousands of locations
Buffer overflows
buffer temporarily stores information for processing - an attack manipulates the system’s ability to manage its buffers. - Can also be used to inject malicious code - used to gain unauthorized access or to escalate privileges.
Mobile Code
transmitted across network from remote source - ActiveX controls, Java applets, Java Script code from a Web page and HTML based email
Malicious software
Virus - parasitic code which attaches itself to another program; worm - self-propogating code; trojan horse - appear desireable but contain something harmful; spyware - used to deploy malware, collect private data, send advertising;
Password crackers
if attacker has obtained hashed password file using brute force attacks to compare combinations
Martin Hellman
developed public key cryptography with Whitfield Diffie
Phillip Oechslin
faster method of organizing hased chain - rainbow chain
Spoofing/Masquerading
With IP protocol alter source to a trusted IP - remove the assurance that a person is dealing with a trusted entity.
Kevin Mitnick
popularized tecnique of IP spoofing
sniffers
collection information from a communication medium like a network
Emanations
proliferation of electromagnetic signals given off by electronic devices
Tempest
late 1960s - Government program studies compromising emanations - equipment should be located in center of building possibly protected by a Faraday cage (wrapped in wire mesh) - restricts signal leakage
Shoulder surfing
direct observation - seeing a password typed in
Object Reuse
residual data should be cleared - print only one user’s output at a time
Data remanence
remains of partial data or even the entire set of digital information
FAT
File allocation table maintains physical location and often when files are deleted the information is removed form the FAT but the actual data is still residing on the drive.
Slack space
space at the end of a file - it can be used by hacker’s to store information
Data mining
act of collecting and analyzing large quantities of information to determine patterns of use of behavior and use those patterns to form conclusions
Dumpster diving
taking what peopl assume is trash - cross cut shredders are more effective
Backdoors and Trap doors
special access capabilities put in by developer
Logic bombs
results of attacks can be delayed for a long period of time - logical progression of events before they unleash theri aggression.
Theft
physical theft - anything o f value can be removed, digital theft - copies of data
Social Engineering
practice of misdirection to obtain information through social contact
Threat Modeling
using scenario analysis with knowledge of threats and vulnerabilities to help determine what risks ares present in a system or application and where to apply resources to ensure the best mitigation for the value
Formula for risk
impact vs. likelihood
Asset Valuation
Hardware, Software, Integration, Opportunity COst, Regulatory exposure (Civil/Criminal), Information replacement, reputational exposure
SLE=AV x EF
Single loss expectancy = asset value x exposure factor (estimate how much an asset will decline %wise)
ALE= SLE x ARO
Annualized loss exposure = single loss expectancy x Annualized rate of occurrence
Penetration Test methodology
reconnaissance, enumeration, vulnerability analysis,execution, document findings
Identity and Access Provisioning Life Cycle
Provisioning, Review, Revocation
A preliminary step in managing resources is A. Conducting a Risk Analysis B. Defining who can access a given system or information C. Performing a business impact analysis D. Obtaining top management support
B. Defining who can access a given system or information
Which best describes Access controls? A. Access controls are a collection of technical controls that permit access to authorized users, systems, and applications B. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities an providing access to information and systems to only those who have been approved C. Access Control is the employment of encryption solutions to protect authentication information during log-on D. Access Controls help protect against vulnerabiliteis by controlling unauthorized access to systems and information by employees, partners and customers
B. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities an providing access to information and systems to only those who have been approved
_____ requires that a user or process be granted access to only those resources necessary to perform assigned functions A. Discretionary Access Control B. Separation of Duties C. Least Privilege D. Rotation of Duties
C. Least Privilege
What are the 7 main categories of access control? A. Detective, Corrective, monitoring, logging, recover, classification, and directive B. Directive, deterrent, preventative, detective, corrective, compensating and recovery C. Authorization, identification, factor, corrective, privilege, detective, and directive D. Identification, authentication, authorization, detective, corrective, recovery, an directive
B. Directive, deterrent, preventative, detective, corrective, compensating and recovery
What are the three types of access controls? A. Adminstrative, Physical and technical B. Identification, authentication, and authorization C. Mandatory, discretionary, and least privilege D. Access, management, and monitoring
A. Adminstrative, Physical and technical
WHich approach revolutionized the process of cracking passwords? A. Brute Force B. Rainbow table Attack C. Memory tabling D. One-time Hashing
B. Rainbow table Attack
What best describes two-factor authentication? A. A hard token and a smart card B. A user name and a pin C. A password and a pin D. A pin and a hard token
D. A pin and a hard token
A potential vulenrabilty of kerberos authentication server is A. Single Point of Failure B. Asymmetric key compromise C. Use of dynamic passwords D. Limited lifetimes for authentication credentials
A. Single Point of Failure
In mandatory access control the system control access and the owner determines A. Validation B. Need to know C. Consensus D. Verification
B. Need to know
Which is the least significant issue when considering biometrics? A. Resistance to counterfeiting B. Technology type C. User acceptance D. Reliability and Accuracy
B. Technology type
Which is a fundamental disadvantage of biometrics? A. Revoking credentials B. Encryption C. Communication D. Placement
A. Revoking credentials
Role based access control A. Is unique to mandatory access control B. Is independent of owner input C. Is based on user job function D. Can be compromised by inheritance
C. Is based on user job function
Identity management is A. Another name for access controls B. Technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment C. Technologies and processes focused on the provisioning and decommissioning of user credentials D. Technologies and processes used to establish trust relationships with disparate systems
B. Technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment
A disadvantage of single sign on is A. Consistent time-out enforcement across platforms B. A compromised password exposes all authorized resources C. Use of multiple passwords to remember D. Password change control
B. A compromised password exposes all authorized resources
Which of the following is incorrect when considering privilege management? A. Privileges associated with each system, service or application and the defined roles within the organization to which they are needed, should be identified and clearl documented B. Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group or role C. An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated D. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function
D. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function
Threat modeling is the process of A. Determining which threats to neutralize first B. Developing access controls that compensate for the vulnerabilities C. A risk assessment approach in whihc decisions are based on risk and value D. Scenario analysis targeted towards determining the best approach for threat elimination
C. A risk assessment approach in whihc decisions are based on risk and value
When reviewing user entitlement the security professional must be most aware of A. Identify management and disaster recovery capability B. Business or organizational processess and access aggregation C. The organizational tenure of the user requesting entitlement D. Automated processes which grant users access to resources
B. Business or organizational processess and access aggregation
Which formula represents ALE or annual loss exposure? A. ALE = SLE * ARO B. SLE = ARO * ALE C. SLE = SRO * EF D. ALE = EF * SLE
A. ALE = SLE * ARO
In constructing a continuous monitoring system, numerous feeds from several systems must be correlated and analyzed. Which of the following best provides the capability? A. Intrusion Prevention System B. Identity Management and Access Control System C. Intrusion Detection System D. Security Information and Event Management
D. Security Information and Event Management
A guard dog patrolling the perimeter of a data center is what type of control? A. Recovery B. Administrative C. Logical D. Physical
D. Physical
