CISSP (Domain 1 - Access Control) Flashcards
What Are Access Control Mechanisms
Protect information and resources from unauthorized disclosure, modifications, and destruction
3 main types of Access Control Mechanisms
ATP
- administrative (closest to data)
- technical
- physical
Administrative Controls
How you should act.
Development of policies, standards, and procedures. (Ex. How servers should be installed)
Screening personnel, security awareness training, monitoring activity.
Technical Controls
Protect Data.
Logical mechanisms that provide password and resource management, identification and authentication, and software configuration.
Ex: anti-virus software, IDS, encryption
Physical Controls
Physical Threats. Barrier between bad people.
Protecting individual systems, the network, employees, and the facility from physical damage.
Ex: Removing floppy drives, security guards monitoring facility.
7 Access Control Types/Categories
PDCDRCD
- Preventative
- Detective
- Corrective
- Deterrent
- Recovery
- Compensation
- Directive
Preventive - AC Type*
Controls to prevent undesirable events.
Administrative - Policies, background checks
Technical - Passwords, Firewalls
Physical - Badges/Swipe Cards, CCTV
Detective - AC Type*
Controls to identify undesirable events
Administrative - Job Rotation, Inspections
Technical - IDS, Review audit logs
Physical - Human evaluation of cameras
Corrective - AC Type
Controls to correct the effects of undesirable events
Ex: Patch systems
Deterrent - AC Type
Controls to discourage security violations
Ex: Signs
Recovery - AC Type
Controls to restore resources
Ex: Restore backups
Compensation - AC Type
Controls to provide alternative solutions
Ex: Personal PC vs. Hardware
Directive - AC Type
Policies to preclude or mandate actions to reduce risk
Access Control
Security features that control how subjects and objects communicate and interact with other subjects and objects
Access Control - Subject/Object/Access
Subject: Active entity that requests access to an object or the data within the object.
Object: Passive entity that contains information
Access: Ability of subject to do something (CRUD)
4 Steps of Access Control
IAAA
- Identification
- Authentication
- Authorization
- Accounting
Access Control - Identification
Identify the subject
Ex: username, smartcard
Access Control - Authentication
Proving the subject is who it claims to be
Ex: second piece of credential set
Access Control - Authorization
Granting access to resources based on a criteria
Access Control - Accounting
Keeping records of activity
3 Types of Authentication
KHA
Type 1: Something you know (Password, PIN, Pass-phrase)
Type 2: Something you have (smart card, OTP, RSA Key)
Type 3: Something you are (Biometrics)
Mutual Authentication (Two-way Authentication)
Both entities authenticate each other
One-Time Password
Dynamic password only good for one use/session.
Type 2 authentication - something you have
Token Device - Pro/Con
Pro:
- Not as vulnerable to electrical eavesdropping
- Higher level of protection than static passwords
Con:
- Can be lost
- Can fall pray to masquerading if user shares info
Cryptographic Keys Can Be Used To Do What With An Identity
Private key or digital signature can be used to prove one’s identity
Smart Card (what does it have thats different)
Has a microprocessor
After threshold of failed login attempts it can render itself unusable
Authentication - Type 3 User Has: Error Types (2)
- Type 1 Error: False Rejection Rate (FRR)
- Type 2 Error: False Accept Rate (FAR)
Authentication - Biometrics (Type I Error)
False Reject Rate (FRR) - Rejection of an authorized individual.
Authentication - Biometrics (Type II Error)
False Acceptance Rate (FAR) - Acceptance of imposter
Authentication - Biometrics (Crossover Error Rate)
Represents the point at which the Type I errors equal to the Type II errors.
Combines error and sensitivity levels.
Lower the number the better.
Why we need Crossover Error Rate for Biometrics (2 reasons)
- Comparison of tools (Accuracy)
- Determine calibration of device
Types of Biometrics - Physical & Behavioral/Dynamic
Physical:
- Fingerprint
- Palm Print
- Retina Scan (scans blood vessel patterns of retina)
Behavioral/Dynamic:
- Signature Dynamics
- Voice Print
Access Control - Dual Control
Two people are required to complete a process
8 Kerberos Components
DC/P/R/GS/AS/GT/ST/K
- Kerberos Domain Controller (KDC) Most Important
- Principals (Users, Applications, Services)
- Realm
- Ticket Granting Service (TGS)
- Authentication Server (AS)
- Ticket Granting Ticket (TGT)
- Ticket (Service Ticket)
- Secret and Submission Keys
4 Things to Know about Kerberos (SSO, Enc Type, tickets, expire)
- Kerberos is a SSO Authentication System
- Symmetric Encryption (Shared Keys)
- Relies on tickets to establish connections (two types: session and secret)
- Relies on timing mechanism to expire keys
5 Things for Kerberos Domain Center (KDC)
most/db/mgmt/authn/sess
- Most important component
- Maintains DB of secret keys
- Centralized key management
- AuthN identities of users
- Distributes session keys when principals communicate
Kerberos Authentication Process (6 Steps)
- User authenticates to Authentication Service (AS) on KDC
- AS Sends initial Ticket Granting Ticket (TGT) to user
- User wants to access resource and requests Session Ticket (ST) from TGS
- ST has two instances of a session key (user/resource)
- User sends ST to resource for authN
- Authn communication encrypted
3 Types of Access Control Models
- Discretionary Access Control (DAC) TCSEC
- Mandatory Access Control (MAC) TCSEC
- Role-Based Access Control (RBAC) NIST
Discretionary Access Control (DAC)
object/prov/size/common/type/ex
- Every object has an owner
- Owner can grant and take away access to object
- Good for small user base
- Most common implementation is with Access Control Lists (ACL)
- Identity Based System
- s1 create o1, s1 grants s2 access to o1
Mandatory Access Control (MAC)
acc/usr-obj/sec/data/proc
- Access based on security clearance of subject and classification of object
- Each user has a clearance/Each object has a classification
- Access defined by the system and not data owner
- Used for classified data
- System Based Process
4 Government Classification Types
- Top Secret
- Secret
- Confidential
- Unclassified
MAC Security Labels (2 things)
- Each object has a security label with its classification
- MAC access decisions are based on labels
Role-Based Access Control (RBAC)
acc/ass/mgmt/needs
- Allow access to objects based on the role the user holds within the company
- Admins assign a user to a role and then assigns access rights to that role
- Good for high turnover
- Based on Job Description or needs of the user
Lattice Based Access Control (LBAC)
acm/aka/ex
- Complex ACM based on interaction between any combination of objects and subjects
- AKA label-based or rule-based access control
- Ex: Firewall
5 Goals of Identity Management
- Integrity and Non-Repudiation*
- Confidentiality
- AuthN and AuthZ
- Provisioning
- Management of AuthZ policies
Security Assertion Markup Language (SAML)
Frame/exch/forw/indep
- Framework for authorization and authentication
- Allows for exchange of security information between vendors
- Allows for Forwarding
- Vendors are administrated independently
Log Protection Issue
Attackers try to “scrub” logs to cover their tracks. Only administrators should have access to them.
Control Against Signal Capture: TEMPEST
Special shielding in equipment to lower amount of radiation leakage.
Faraday cage usually heavy metal casings
3 Steps to Access Control (Administration)
- Company decides upon the access control model they will implement (DAC and MAC)
- Company decides on technologies and techniques
- Company decides how access will be managed
+ Centralized, Decentralized, Hybrid Approach
Centralized Access Control Systems
makes/decides/aaa/ex
- One entity makes access decisions
- Senior management decides what users can access specific objects
- AAA Service Provider (AuthN/AuthZ/Accounting)
- Ex: RADIUS/TACACS+/DIAMETER
Remote Authentication Dial-In User Servers (RADIUS)
- AuthN protocol used to AuthN/AuthZ users
- Usually contains a database of users and credentials
Terminal Access Controller Access Control System (TACAS+)
- AuthN protocol used to AuthN remote users
- Splits authentication, authorization, and accountability features
- Cisco proprietary protocol
DIAMETER
- Protocol designed as the next generation RADIUS
- RADIUS only 256 Attribute Value Pairs (AVP) via SLIP
- 2^32 AVP - 4.3 Billion
Decentralized Administration
- Control is given to people closer to the resource
- Managers usually have better judgement about users who should have access to different resources
