Domain 2 – Access Control Systems Flashcards

1
Q

Confidentiality

A

Not disclosed to unauthorized person

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Integrity

A
  • Prevention of modification by unauthorized users
  • Prevention of unauthorized changes by otherwise authorized users
  • Internal and External Consistency
  • Internal Consistency within the system (i.e. within a database the sum of subtotals is equal to the sum of all units)
  • External Consistency – database with the real world (i.e. database total is equal to the actual inventory in the warehouse)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Availability

A

Timely access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Three things to consider

A
  • Threats – potential to cause harm
  • Vulnerabilities – weakness that can be exploited
  • Risk – potential for harm
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Controls-Preventative

A

prevent harmful occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Controls-Detective

A

detect after harmful occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Controls-Corrective

A

restore after harmful occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Controls-Administrative

A

polices and procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Controls-Logical or Technical

A

restricted access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Controls-Physical

A

locked doors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Mandatory access control (MAC)

A

Authorization of subject’s access to an object depends on labels (sensitivity levels), which indicate subject’s clearance, and the classification or sensitivity of the object
• Every Object is assigned a sensitivity level/label and only users authorized up to that particular level can access the object
• Access depends on rules and not by the identity of the subjects or objects alone
• Only administrator (not owners) may change category of a resource — Orange book B-level
• Output is labeled as to sensitivity level
• Unlike permission bits or ACLs, labels cannot ordinarily be changed
• Can’t copy a labeled file into another file with a different label
• Rule based AC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Discretionary Access Control (DAC)
A

Subject has authority, within certain limits, to specify what objects can be accessible (e.g., use of ACL)
• User-directed means a user has discretion
• Identity-based means discretionary access control is based on the subjects identity
• Very common in commercial context because of flexibility
• Orange book C level
• Relies on object owner to control access
• Identity Based AC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Non-Discretionary Access Control
A

Central authority determines what subjects can have access to certain objects based on organization’s security policy (good for high turnover)
• May be based on individual’s role in the organization (Role-Based) or the subject’s responsibilities or duties (task-based)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Lattice based

A

provides least access privileges of the access pair
• Greatest lower bound
• Lowest upper bound

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Administrative Preventative

A

Policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Administrative Detective

A

Polices and procedures, job rotation, sharing of responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Technical Preventative

A

Logical system controls, smart cards, bio-metrics, menu shell

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Technical Detective

A

IDS, logging, monitoring, clipping levels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Physical Preventative

A

Restrict physical access, guards, man trap, gates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Physical Detective

A

Motion detectors, cameras, thermal detectors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Identification

A

establishes accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Three Factor Authentication

A
  • Something you know (password)
  • Something you have (token)
  • Something you are (biometrics)
  • Sometimes - something you do
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Passwords

A
  • Static – same each time

* Dynamic – changes each time you logon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Tokens – Smartcards

A

Static Password (like software with pin)
• Owner Authenticates to the token
• Token authenticates to the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Synchronous Dynamic Password
* Token – generates passcode value * Pin – user knows * Token and Pin entered into PC * Must fit in valid time window
26
Asynchronous
• Similar to synchronous, new password is generated asynchronously, No time window
27
Challenge Response
* System generates challenge string * User enters into token * Token generates response entered into workstation * Mechanism in the workstation determines authentication
28
False Rejection Rate (FRR)
Type I error
29
FAR
Crossover Error Rate – (CER) – CER = % when FRR = FAR
30
Biometric Issues
* Enrollment Time – Acceptable rate is 2 minutes per person | * Throughput Time – acceptable rate is 10 people per minute
31
Acceptability Issues
privacy, physical, psychological
32
Types of Biometrics-Fingerprints
Are made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae.
33
Types of Biometrics-Retina Scans
Scans the blood-vessel pattern of the retina on the backside of the eyeball.
34
Types of Biometrics-Iris Scans
Scan the colored portion of the eye that surrounds the pupil.
35
Types of Biometrics-Facial Scans
Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.
36
Types of Biometrics-Palm Scans
The palm has creases, ridges and grooves throughout it that are unique to a specific person.
37
Types of Biometrics-Hand Geometry
The shape of a person’s hand (the length and width of the hand and fingers) measures hand geometry.
38
Types of Biometrics-Voice Print
Distinguishing differences in people’s speech sounds and patterns.
39
Types of Biometrics-Signature Dynamics
Electrical signals of speed and time that can be captured when a person writes a signature.
40
Types of Biometrics-Keyboard Dynamics
Captures the electrical signals when a person types a certain phrase.
41
Types of Biometrics-Hand Topology
Looks at the size and width of an individual’s hand and fingers.
42
Kerberos...
Kerberos-Symmetric key encryption
43
Kerberos-KDC
Kerberos-trusted Key Distribution Center
44
Kerberos-TGS
Ticket Granting Service
45
Kerberos-AS
Authentication Server
46
Kerberos…
KDC knows secret keys of Client and Server
47
Kerberos…
KDC exchanges info with the Client and the Server using symmetric keys
48
Kerberos…
Using TGS grants temporary symmetric key
49
Kerberos-Initial Exchange
Client sends Hash Password to the TGS Server, TGS verifies with the Auth. Server TGS Server responds with: 1) Key for Client and TGS server encrypted with Client Key [K(c,tgs)]Kc 2) Ticket Granting Ticket (TGT) = [K(c, tgs), c,a,v]K(tgs)
50
Kerberos-Request for Service
Client sends request for service to TGS with 1) TGT = [K(c, tgs), c,a,v]K(tgs) 2) Authenticator K(c, tgs)
51
Kerberos-TGS Issues Ticket for Service
TGS sends Client back ticket for server and authenticator for server 1) Ticket T(c,s) = [s,c,a,v,K(c,s)]Ks 2) [K(c,s)]K(c,tgs)
52
Kerberos-Receive Service from Server
Client sends Server 1) Ticket T(c,s) = [s,c,a,v,K(c,s)]Ks 2) authenticator = [c,t,key]K(c,s)
53
Kerberos weaknesses...
Replay is possible within time frame
54
Kerberos weaknesses…
TGS and Auth server are vulnerable as they know everything
55
Kerberos weaknesses…
Initial exchange passed on password authentication
56
Kerberos weaknesses…
Keys are vulnerable
57
SESAME
Secure European System for Applications in a Multi-vendor Environment • Uses Needham-Schroeder protocol • Uses public key cryptography • Supports MD5 and CRC32 Hashing • Uses two tickets 1) One contains authentication 2) One contains the access rights to the client
58
SESAME weaknesses…Only authenticates by using first block of message
Only authenticates by using first block of message
59
SESAME weaknesses…Initial exchange passed on password authentication
SESAME weaknesses…SESAME incorporates two certificates or tickets: One certificate provides authentication as in Kerberos and the other certificate defines the access privileges that are assigned to a client.
60
KryptoKnight
```  Peer to peer relationship between KDC – Key Distribution Center and parties (Client and Server)  NetSP is based on KryptoKnight  Supported by RACF • Authentication • Key Distribution • Data Privacy • Data Integrity • Single Sign-On • Administration ```
61
Centralized ACL-RADIUS
Remote Access Dial-In User Service (incorporates an AS and dynamic password)
62
Centralized ACL-TACACS
Terminal Access Controller Access Control System (for network applications, static pwd)
63
Centralized ACL-TACACS+
Terminal Access Controller Access Control System Plus, supports token authentication
64
Centralized ACL-CHAP
Challenge Handshake Authentication Protocol | Supports encryption, protects password
65
Decentralized ACL-Relational Database Security
* Relational Databases support queries | * Object oriented databases do not support queries
66
Relational Database
* Data structures called tables (relations) * Integrity Rules on allowable values * Operators on the data in tables
67
Persistency
preservation of integrity through the use of nonvolatile storage media
68
Schema
* Description of the database | * Defined by Data Description Layer (DDL)
69
DBMS
Database Management System • provides access to the database • Allows restriction of access
70
Relational Database
* Relation (table) is the basis of a relational database – relation is represented by a table * Rows = Records (tuples) * Column = Attributes
71
Relational Database-Primary Key
* Unambiguously identifies a record. Points to a record (tuple) * Every row (record, tuple) must contain the primary key of the relation (table)
72
Relational Database-Cardinality
of rows in a relationship (table)
73
Relational Database-Degree
of columns in a relationship (table)
74
Relational Database-Candidate key
any identifier that is a unique to the record
75
Relational Database-Foreign Key
any value that matches the primary key of another relation (table)
76
Relational Database Operations
* Select – based on criteria i.e. all items with value > $300.00 * Join - join tables based on a common value * Union – forms a new relation (table) from two other relations * View – (virtual table) uses join, project, select - Views can be used to restrict access (least privileges)
77
Relational Database Query plan
* Comprised of implementation procedures, lowest cost plan based on “cost” * Costs are CPU time, Disk Access * Bind – used to create plan
78
Data Normalization
Ensures that attributes in a table rely only on the primary key • Eliminates repeating groups • Eliminates redundant data • Eliminates attributes not dependent on the primary key
79
SQL – Structured Query Language
* Select * Update * Delete * Insert * Grant – Access Privileges * Revoke – Access Privileges
80
OODB
Object Oriented Databases: • Best suited for multi-media, graphics • Steep learning curve • High overhead
81
Network Based IDS
* Real Time | * Passive
82
Host Based IDS
* System and event logs | * Limited by log capabilities
83
Signature Based – (Knowledge Based) IDS
* Signatures of an attack are stored and referenced * Failure to recognize slow attacks * Must have signature stored to identify
84
Statistical Anomaly Based (Behavior Based) IDS
* IDS determines “normal” usage profile using statistical samples * Detects anomaly from the normal profile
85
Access Control Issues
* Confidentiality * Integrity * Availability * Accountability of users
86
Measures for compensating for both internal and external access violations
* Backups * RAID – Redundant Array of Inexpensive Disks * Fault Tolerance * Business Continuity Planning * Insurance