Chapter 3 - Access Control Flashcards
Access
The flow of information between subject and object
Access control
Used to restricted access and for authentication of access and ensures AIC on the data
Subject
The requesting entity of an object
Object
A passive entity that holds information
Identification
Proving someone is who they say they are
Authentication
A second piece to the credential set
Authorization
Being granted access based on your authenticated identity
Accountability
Now that you have been authorized, you are now responsible
Logical access controls
Boolean operator controls, if authorized than access
Race Condition
Running authorization independent of authentication
Process 1 then 2
Hacker just runs two
What are the factors of authentication?
Something a person knows, has, or is
Verification ratio
Used to see how many people are authenticated by the same token
Auth by knowledge
A password, a pin, a combination
Auth by ownership
Key, badge, access card
Auth by characteristic
Biometrics
Strong auth
2 factor auth
Mutual auth
This is when each side authenticates the other
IdM
Identity management - controlling identitity in an environment for accountability
IDM meta directories
A virtual directory to aggregate identity data stored from HR/SQL/AD etc
This is primarily useful for non-ldap integrated systems
What makes up X.500?
Directory structure standard
Must have a parent child tree
Each entry unique
Attributes defined in schema
Unique IDS called distinguished names
Virtual directory
Similar to meta directories except it doesn’t know the answer .. It points to one
WAM
Web access management
Web server receives auth req
Web server gets access approval
Sends back a session cookie
Browser used cookie in further security context
Cookie
Browser side data storage
Permanent- stored on the hard drive for later usage and access
Session- temporary token stored in memory for use with session state
Single sign on
Sign in once, as long as you use the cookie the server just sent to authenticate you are allowed
Password synchronization
Reduces number of passwords known by changing the multiple systems to the same password
Self-service password reset
Reduces help desk volume by allowing users to reset own password, or security questions and a click the link email
Assisted password reset
Two person password reset, ie. an authenticated help desk person changes it to changemenow and then the user is forced to reset that
What is an example of a bad security question ?
What is your mothers maiden name?
This is public information
Single sign on
One authentication to rule them all!
Account management
Automated construction and destruction of accounts on all necessary systems
Authoritative source
The location of a record where it was written
Identity repository
The centralized location of information regarding accounts
Authoritative system of record
A hierarchy that tracks changes to an environment
User provisioning
From hired to fired what happens to your account
Self-service
Users can change their own information
Federated
If you trust that guy, send me his authenticated session
Digital identity
Made of
Attributes
Entitlements
Traits
Federated identity
This is the authenticated token being passed around
Web portal
A site that contains multiple website feeds
Yahoo
Msn
Portlet
This is an individual module that displays website information on a web portal
XML
Extensible markup language
Used to standardize a way of communicating between platforms
SPML
Service provisioning markup language
Request authority
Provisioning service provider
Provisioning service target
SAML
Security assertion markup language
Used for passing authentication in a unified format
Web services
This is any site that provides a service
SOAP
Simple object access protocol
A means to transmit markup language
XACML
Extensible access control markup language
Used to communicate acl between services
Extensible
Means standardized really
OASIS
Organization keeping all the XML standards
What makes XML standards different?
The schema
What are the error types in biometrics?
1 - Failed on an authorized person
2 - Allowed an unauthorized person
Crossover error rate or equal error rate?
The point where error % of both types match. 3% is better than 4%
What causes type 2 errors to switch over to type 1 errors?
Sensitivity
Replay attack?
When information is gather now and used later, ie a stolen password
What ways can you steal a password?
Electronic monitoring Access the password database Brute force attack Dictionary attack Social engineering Rainbow table (hash table)
What is last login messaging for?
To point out to the user when he last attempted a login to the system.
Clipping level
Threshold
What is the most effective way to steal passwords?
Rainbow tables
How does someone make a password hash secure?
Salts - random characters entered into a password before hashing
Cognitive passwords
Fact or opinion based question and answer
Two types of synchronous tokens for one time password
Time synchronous
Counter synchronous
Encryption key is on device
Counter-based is also called?
Event based
Asynchronous token
Challenge is sent from server, token makes a password out of it using an algorithm and generates a OTP
Digital signatures
Used to authenticate by pki
Pass phrase
LongPhraseThatIsHardTocrackAndStealFrom
Authentication memory card
A read only verification of who you are
An ATM card is used with a pin, the ATM card is a memory card
Contact vs contact less smart card
Contact has a electrical contact pad that sends and receives IO
Contact less has an antenna that gets the IO
What is fault generation?
Generating faults in a system to see of it feeds back any useful data
Side channel attack
An attack where they are simple trying to figure out how it works..
Ie using electromagnets to see what kind of response a smart card gives you
Microprobing
Tampering with a chip using ultrasonic and needleless techniques to get directly to the embedded ROM
ISO 14443
Smart card standardization
RFID
Radio frequency id
Low security due to low processing capabilities
What can be used to set access controls?
Role Group Location Time Transaction type
Kerberos
Authentication methodology using shared secret keys
KDC
Key distribution center - used to create and store the shared Kerberos keys
Principles
Users, applications or services
Each one has it’s own shared secret
How do tickets work?
A ticket granting service issues a ticket that is used to pass from one principle to another
How does Kerberos work?
- User sends cress for auth…
- KDC sends password in a tgt
- Users entered password is used to get the tgt client side
- Access to another principle is request
- Tgt is generated with both principles passwords and tgt’s
- User pinciple sends sends this to the other principle which verifies it’s tgt and grants or denies access to user
How is SESAME and Kerberos different?
Kereberos is strictly symetrical and SESAME is both asymetrical and symetrical
SESAME uses PACs to Kerberos Tickets
GSS-API
Standard API used to programmatically use these authentication mechanisms in applications
Thin client
A machine that stored no data
Discretionary access control
I made it, I can access it, I control it
This is the windows model and allows for systems to runas a user context
Non discretionary access?
A group policy is non discretionary because it is forced on the user
Security or sensitivity labels
In a mandatory access model it is a security level assigned to a document. If you have that level of clearance the you can see it. For granularity the is also a need to know check
Role based access control
The permissions are set to groups defined by job function rather than department or specific person
What is the difference between static an dynamic separation of duties ?
Static is if part of x role than cannot be part of y as a member
Dynamic means the session itself and disallows the y functionality if logged in as x
Rule based access
This is access based strictly on if then statements
Constrained UI
Limiting the user interface to only what you want them to be able to do
What is capability and acl?
Capability is what a user can do and acl is what an object allows
Content dependent access
Packet sniffing web traffic is a great example, access decisions are based on the content you are trying to receive
Sensitivity based decisions
Context dependent access
Access control that understand order of operations .. A firewall understand SYN must come before SYN/ACK
This prevents complex knowledge attacks. User can see A and B or A and C but not ABC
AAA
Authentication, authorization, auditing
Radius vs tacacs+
Radius is in clear, does not comply with AAA and uses UDP
Tacacs+ uses encryption complies with AAA and uses TCP
Diameter
Twice the radius, it is a AAA protocol diversified for our complex protocol rich world. It is peer based rather than server client and superior in all ways
Access control layers
Administrative
Technical
Physical
Audit reduction tool
Used to parse out on specific information to reduce logs
SEM/SIEM
Security event manager used for audit control
Scrubbing
Deleting log events that show an attackers presence
Object reuse
Thumb drives should be cleaned with 1/0 before someone else uses it, for example
Emanation security
Electronics emanate electro-magnetic waves that can be caught and recreated
TEMPEST
Used as a standard to shield electronics from emanating
White noise
Random interference that overwhelms and overpowers useful information
Faraday cage
A shielding
Network IDS
Wire shark with NIC in promiscuous mode
Host based IDS
Inner system object monitoring
Types of IDS monitors
Signature - pattern/stateful
Anomalies - statistical/protocol/traffic/rule
What is a signature?
A pattern
What is being in the zoo
A virus that has not been released yet
Misdirecting IDS
Send IDS systems on a goose chase while you sneak in the other way
What is the difference between false positive and negative
Positive- flagging good traffic as bad
Negative- flagging bad traffic as good
Icmp attacks
Icmp loaded with variables and payload
Signature based IDS
Pattern matching
Stateful matching - compares sequences
Signatures must be updated
Cannot identify new attacks
Anomaly based IDS
Behavior based on normal baseline
Can detect new attacks
Called behavioral/heuristic
Statistical - baseline vs now
Protocol - that packet is malformed
Traffic - why is this bandwidth spiking
Rule based IDS
If/then rules
AI inference possible
Demanding
Cannot detect new attacks
What makes a honeypot a legal issue?
The use of entrapment instead of enticement
Enticing - ports open, web page without ssl etc
Entrapment - giving a download link to the hacker and then charging him for hacking when all he did was use your link
Sniffer
Used to analyze promiscuous packets on the network
What is another name for hashing
Message digest
Dictionary attack
Using known words vs a password to resolve the password
Brute force
Trying every combination until a response is received
What is a war dialer?
A phone dialer users to discover dialup modems
Phishing
Sending requests for information through tricky websites and emails
Cannot trust the URL, JavaScript can replace with a legitimate site name
Pharming
The use of fake web sites to pass credentials to, often using DNS poisoning
DNS poisoning
Modifying the DNS response your machine receives to redirect to a black server
Why is feeling secure with a solution dangerous?
Because you stop looking for security flaws
Identity theft
Using someone’s identity to make non legitimate purchases, or generate false criminal records and warrants
