CISSP (Domain 1 - Access Control) Flashcards

1
Q

What Are Access Control Mechanisms

A

Protect information and resources from unauthorized disclosure, modifications, and destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3 main types of Access Control Mechanisms

ATP

A
  • administrative (closest to data)
  • technical
  • physical
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Administrative Controls

A

How you should act.

Development of policies, standards, and procedures. (Ex. How servers should be installed)

Screening personnel, security awareness training, monitoring activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Technical Controls

A

Protect Data.

Logical mechanisms that provide password and resource management, identification and authentication, and software configuration.

Ex: anti-virus software, IDS, encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Physical Controls

A

Physical Threats. Barrier between bad people.

Protecting individual systems, the network, employees, and the facility from physical damage.

Ex: Removing floppy drives, security guards monitoring facility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

7 Access Control Types/Categories

PDCDRCD

A
  • Preventative
  • Detective
  • Corrective
  • Deterrent
  • Recovery
  • Compensation
  • Directive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Preventive - AC Type*

A

Controls to prevent undesirable events.

Administrative - Policies, background checks
Technical - Passwords, Firewalls
Physical - Badges/Swipe Cards, CCTV

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Detective - AC Type*

A

Controls to identify undesirable events

Administrative - Job Rotation, Inspections
Technical - IDS, Review audit logs
Physical - Human evaluation of cameras

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Corrective - AC Type

A

Controls to correct the effects of undesirable events

Ex: Patch systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Deterrent - AC Type

A

Controls to discourage security violations

Ex: Signs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Recovery - AC Type

A

Controls to restore resources

Ex: Restore backups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Compensation - AC Type

A

Controls to provide alternative solutions

Ex: Personal PC vs. Hardware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Directive - AC Type

A

Policies to preclude or mandate actions to reduce risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Access Control

A

Security features that control how subjects and objects communicate and interact with other subjects and objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Access Control - Subject/Object/Access

A

Subject: Active entity that requests access to an object or the data within the object.

Object: Passive entity that contains information

Access: Ability of subject to do something (CRUD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

4 Steps of Access Control

IAAA

A
  1. Identification
  2. Authentication
  3. Authorization
  4. Accounting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Access Control - Identification

A

Identify the subject

Ex: username, smartcard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Access Control - Authentication

A

Proving the subject is who it claims to be

Ex: second piece of credential set

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Access Control - Authorization

A

Granting access to resources based on a criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Access Control - Accounting

A

Keeping records of activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

3 Types of Authentication

KHA

A

Type 1: Something you know (Password, PIN, Pass-phrase)
Type 2: Something you have (smart card, OTP, RSA Key)
Type 3: Something you are (Biometrics)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Mutual Authentication (Two-way Authentication)

A

Both entities authenticate each other

23
Q

One-Time Password

A

Dynamic password only good for one use/session.

Type 2 authentication - something you have

24
Q

Token Device - Pro/Con

A

Pro:

  • Not as vulnerable to electrical eavesdropping
  • Higher level of protection than static passwords

Con:

  • Can be lost
  • Can fall pray to masquerading if user shares info
25
Q

Cryptographic Keys Can Be Used To Do What With An Identity

A

Private key or digital signature can be used to prove one’s identity

26
Q

Smart Card (what does it have thats different)

A

Has a microprocessor

After threshold of failed login attempts it can render itself unusable

27
Q

Authentication - Type 3 User Has: Error Types (2)

A
  • Type 1 Error: False Rejection Rate (FRR)

- Type 2 Error: False Accept Rate (FAR)

28
Q

Authentication - Biometrics (Type I Error)

A

False Reject Rate (FRR) - Rejection of an authorized individual.

29
Q

Authentication - Biometrics (Type II Error)

A

False Acceptance Rate (FAR) - Acceptance of imposter

30
Q

Authentication - Biometrics (Crossover Error Rate)

A

Represents the point at which the Type I errors equal to the Type II errors.

Combines error and sensitivity levels.

Lower the number the better.

31
Q

Why we need Crossover Error Rate for Biometrics (2 reasons)

A
  • Comparison of tools (Accuracy)

- Determine calibration of device

32
Q

Types of Biometrics - Physical & Behavioral/Dynamic

A

Physical:

  • Fingerprint
  • Palm Print
  • Retina Scan (scans blood vessel patterns of retina)

Behavioral/Dynamic:

  • Signature Dynamics
  • Voice Print
33
Q

Access Control - Dual Control

A

Two people are required to complete a process

34
Q

8 Kerberos Components

DC/P/R/GS/AS/GT/ST/K

A
  • Kerberos Domain Controller (KDC) Most Important
  • Principals (Users, Applications, Services)
  • Realm
  • Ticket Granting Service (TGS)
  • Authentication Server (AS)
  • Ticket Granting Ticket (TGT)
  • Ticket (Service Ticket)
  • Secret and Submission Keys
35
Q

4 Things to Know about Kerberos (SSO, Enc Type, tickets, expire)

A
  • Kerberos is a SSO Authentication System
  • Symmetric Encryption (Shared Keys)
  • Relies on tickets to establish connections (two types: session and secret)
  • Relies on timing mechanism to expire keys
36
Q

5 Things for Kerberos Domain Center (KDC)

most/db/mgmt/authn/sess

A
  • Most important component
  • Maintains DB of secret keys
  • Centralized key management
  • AuthN identities of users
  • Distributes session keys when principals communicate
37
Q

Kerberos Authentication Process (6 Steps)

A
  • User authenticates to Authentication Service (AS) on KDC
  • AS Sends initial Ticket Granting Ticket (TGT) to user
  • User wants to access resource and requests Session Ticket (ST) from TGS
  • ST has two instances of a session key (user/resource)
  • User sends ST to resource for authN
  • Authn communication encrypted
38
Q

3 Types of Access Control Models

A
  • Discretionary Access Control (DAC) TCSEC
  • Mandatory Access Control (MAC) TCSEC
  • Role-Based Access Control (RBAC) NIST
39
Q

Discretionary Access Control (DAC)

object/prov/size/common/type/ex

A
  • Every object has an owner
  • Owner can grant and take away access to object
  • Good for small user base
  • Most common implementation is with Access Control Lists (ACL)
  • Identity Based System
  • s1 create o1, s1 grants s2 access to o1
40
Q

Mandatory Access Control (MAC)

acc/usr-obj/sec/data/proc

A
  • Access based on security clearance of subject and classification of object
  • Each user has a clearance/Each object has a classification
  • Access defined by the system and not data owner
  • Used for classified data
  • System Based Process
41
Q

4 Government Classification Types

A
  • Top Secret
  • Secret
  • Confidential
  • Unclassified
42
Q

MAC Security Labels (2 things)

A
  • Each object has a security label with its classification

- MAC access decisions are based on labels

43
Q

Role-Based Access Control (RBAC)

acc/ass/mgmt/needs

A
  • Allow access to objects based on the role the user holds within the company
  • Admins assign a user to a role and then assigns access rights to that role
  • Good for high turnover
  • Based on Job Description or needs of the user
44
Q

Lattice Based Access Control (LBAC)

acm/aka/ex

A
  • Complex ACM based on interaction between any combination of objects and subjects
  • AKA label-based or rule-based access control
  • Ex: Firewall
45
Q

5 Goals of Identity Management

A
  • Integrity and Non-Repudiation*
  • Confidentiality
  • AuthN and AuthZ
  • Provisioning
  • Management of AuthZ policies
46
Q

Security Assertion Markup Language (SAML)

Frame/exch/forw/indep

A
  • Framework for authorization and authentication
  • Allows for exchange of security information between vendors
  • Allows for Forwarding
  • Vendors are administrated independently
47
Q

Log Protection Issue

A

Attackers try to “scrub” logs to cover their tracks. Only administrators should have access to them.

48
Q

Control Against Signal Capture: TEMPEST

A

Special shielding in equipment to lower amount of radiation leakage.

Faraday cage usually heavy metal casings

49
Q

3 Steps to Access Control (Administration)

A
  • Company decides upon the access control model they will implement (DAC and MAC)
  • Company decides on technologies and techniques
  • Company decides how access will be managed
    + Centralized, Decentralized, Hybrid Approach
50
Q

Centralized Access Control Systems

makes/decides/aaa/ex

A
  • One entity makes access decisions
  • Senior management decides what users can access specific objects
  • AAA Service Provider (AuthN/AuthZ/Accounting)
  • Ex: RADIUS/TACACS+/DIAMETER
51
Q

Remote Authentication Dial-In User Servers (RADIUS)

A
  • AuthN protocol used to AuthN/AuthZ users

- Usually contains a database of users and credentials

52
Q

Terminal Access Controller Access Control System (TACAS+)

A
  • AuthN protocol used to AuthN remote users
  • Splits authentication, authorization, and accountability features
  • Cisco proprietary protocol
53
Q

DIAMETER

A
  • Protocol designed as the next generation RADIUS
  • RADIUS only 256 Attribute Value Pairs (AVP) via SLIP
  • 2^32 AVP - 4.3 Billion
54
Q

Decentralized Administration

A
  • Control is given to people closer to the resource

- Managers usually have better judgement about users who should have access to different resources