Chapter 14 - Controlling And Monitoring Access Flashcards
Identity based access control model
A discretionary access control model is an identity-based access control model. It allows the owner (or data custodian) of a resource to grant permission at the discretion of the owner. The role-based access control is based on role or group membership. The rule-based access control model is based on rules within an ACL. The mandatory access control model uses assigned labels to identify access.
Main differences between discretionary and no discretionary access control model
The main difference is in how they are controlled and managed. Administrators centrally administer no discretionary access controls and can make changes that affect the entire environment. In contrast, discretionary access control models allow owners to make their own changes, and their changes don’t affect other parts of the environment.
What best describes a characteristic of the mandatory access control model?
Prohibitive and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules.
What is being used to identify potential attackers/threats?
Threat modeling helps identify, understand, and categorize potential threats. Asset valuation identifies the value of assets, and vulnerabilities analysis identifies weakness that can be exploited by threats. An access review and audit ensures that account management practices support the security policy.
Difference between implicit deny and explicit deny
Implicit Deny is a method of controlling access to data by denying access to ALL data then granting only to what the user needs to do their jobs.
The converse being Explicit Deny where you only deny access for users for a smaller set of data and permit access to all other data. (Worst practice)
Microprobing
The use of needles to remove the outer protective material on the card’s circuits, by using ultrasonic vibrations. Once this is completed then data can be accessed and manipulated by directly tapping into the card’s ROM chips. This is considered an invasive attack that can be used against smart cards.
ISO standard created for smart card
ISO 14433
Virtual Password
A virtual password is the length and format that is required by the application. For example, an application may require your virtual password to be 64 bits to be used as a key with the AES algorithm. Not all applications would require that passphrases be turned into key sizes.
SAML, SOAP, and HTTP
As an example, when you log in to your company’s portal and double-click a link for Salesforce, your company’s portal will take this request and your authentication data and package it up in an SAML format and encapsulate that data into SOAP message. This message would be transmitted over an HTTP connection to the Saleforce vendor site, and once you are authenticated you can interact with vendor software. SAML packages up authentication data, SOAP packages up web service request and SAML data, and the request is transmitted over an HTTP connection.
Differences between combi card and hybrid card
The hybrid cards have a dual chip in them with the capabilities of utilizing both the contact formats and the contactless antenna model. They both have an antenna in order to work in contactless mode.
Extended TACACS (XTACACS)
XTACACS separates authentication, authorization, and accounting processes.
RADIUS authentication process
User dials into an access server, access server prompts user for credential, user enters credentials, access server forwards credential to RADIUS server, RADIUS server accepts or rejects request.
Web portal vs web portlets
Web portals are parts of a website that act as points of access to information in a unified manner. A web portal is made up portlets, which are pluggable user interface software components that present information from other systems. In addition, a portlet is an interactive application that provides a specific type of web services functionality.
Which model implements access control matrices to control how subjects interacts with objects?
DAC is implemented and enforced through the use of access control lists (ACLs), which are held in a matrix. MAC is implemented and enforced though the use of security labels.
Cookies
A cookie can be in the format of a text file stored on the user’s hard drive (permanent), or it can be held in memory only (session). If the cookie contains any type of sensitive information, it should only be held in memory and should be erased once the session has completed.
