Domain 2 – Access Control Systems

Question 1

Confidentiality

Answer 1

Not disclosed to unauthorized person

Question 2

Integrity

Answer 2

• Prevention of modification by unauthorized users
• Prevention of unauthorized changes by otherwise authorized users
• Internal and External Consistency
• Internal Consistency within the system (i.e. within a database the sum of subtotals is equal to the sum of all units)
• External Consistency – database with the real world (i.e. database total is equal to the actual inventory in the warehouse)

Question 3

Availability

Answer 3

Timely access

Question 4

Three things to consider

Answer 4

• Threats – potential to cause harm
• Vulnerabilities – weakness that can be exploited
• Risk – potential for harm

Question 5

Controls-Preventative

Answer 5

prevent harmful occurrence

Question 6

Controls-Detective

Answer 6

detect after harmful occurrence

Question 7

Controls-Corrective

Answer 7

restore after harmful occurrence

Question 8

Controls-Administrative

Answer 8

polices and procedures

Question 9

Controls-Logical or Technical

Answer 9

restricted access

Question 10

Controls-Physical

Answer 10

locked doors

Question 11

Mandatory access control (MAC)

Answer 11

Authorization of subject’s access to an object depends on labels (sensitivity levels), which indicate subject’s clearance, and the classification or sensitivity of the object
• Every Object is assigned a sensitivity level/label and only users authorized up to that particular level can access the object
• Access depends on rules and not by the identity of the subjects or objects alone
• Only administrator (not owners) may change category of a resource — Orange book B-level
• Output is labeled as to sensitivity level
• Unlike permission bits or ACLs, labels cannot ordinarily be changed
• Can’t copy a labeled file into another file with a different label
• Rule based AC

Question 12

2. Discretionary Access Control (DAC)

Answer 12

Subject has authority, within certain limits, to specify what objects can be accessible (e.g., use of ACL)
• User-directed means a user has discretion
• Identity-based means discretionary access control is based on the subjects identity
• Very common in commercial context because of flexibility
• Orange book C level
• Relies on object owner to control access
• Identity Based AC

Question 13

3. Non-Discretionary Access Control

Answer 13

Central authority determines what subjects can have access to certain objects based on organization’s security policy (good for high turnover)
• May be based on individual’s role in the organization (Role-Based) or the subject’s responsibilities or duties (task-based)

Question 14

Lattice based

Answer 14

provides least access privileges of the access pair
• Greatest lower bound
• Lowest upper bound

Question 15

Administrative Preventative

Answer 15

Policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks.

Question 16

Administrative Detective

Answer 16

Polices and procedures, job rotation, sharing of responsibilities

Question 17

Technical Preventative

Answer 17

Logical system controls, smart cards, bio-metrics, menu shell

Question 18

Technical Detective

Answer 18

IDS, logging, monitoring, clipping levels

Question 19

Physical Preventative

Answer 19

Restrict physical access, guards, man trap, gates

Question 20

Physical Detective

Answer 20

Motion detectors, cameras, thermal detectors

Question 21

Identification

Answer 21

establishes accountability

Question 22

Three Factor Authentication

Answer 22

• Something you know (password)
• Something you have (token)
• Something you are (biometrics)
• Sometimes - something you do

Question 23

Passwords

Answer 23

• Static – same each time

* Dynamic – changes each time you logon

Question 24

Tokens – Smartcards

Answer 24

Static Password (like software with pin)
• Owner Authenticates to the token
• Token authenticates to the system

Question 25

Synchronous Dynamic Password

Answer 25

* Token – generates passcode value * Pin – user knows * Token and Pin entered into PC * Must fit in valid time window

Question 26

Asynchronous

Answer 26

• Similar to synchronous, new password is generated asynchronously, No time window

Question 27

Challenge Response

Answer 27

* System generates challenge string * User enters into token * Token generates response entered into workstation * Mechanism in the workstation determines authentication

Question 28

False Rejection Rate (FRR)

Answer 28

Type I error

Question 29

FAR

Answer 29

Crossover Error Rate – (CER) – CER = % when FRR = FAR

Question 30

Biometric Issues

Answer 30

* Enrollment Time – Acceptable rate is 2 minutes per person | * Throughput Time – acceptable rate is 10 people per minute

Question 31

Acceptability Issues

Answer 31

privacy, physical, psychological

Question 32

Types of Biometrics-Fingerprints

Answer 32

Are made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae.

Question 33

Types of Biometrics-Retina Scans

Answer 33

Scans the blood-vessel pattern of the retina on the backside of the eyeball.

Question 34

Types of Biometrics-Iris Scans

Answer 34

Scan the colored portion of the eye that surrounds the pupil.

Question 35

Types of Biometrics-Facial Scans

Answer 35

Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.

Question 36

Types of Biometrics-Palm Scans

Answer 36

The palm has creases, ridges and grooves throughout it that are unique to a specific person.

Question 37

Types of Biometrics-Hand Geometry

Answer 37

The shape of a person’s hand (the length and width of the hand and fingers) measures hand geometry.

Question 38

Types of Biometrics-Voice Print

Answer 38

Distinguishing differences in people’s speech sounds and patterns.

Question 39

Types of Biometrics-Signature Dynamics

Answer 39

Electrical signals of speed and time that can be captured when a person writes a signature.

Question 40

Types of Biometrics-Keyboard Dynamics

Answer 40

Captures the electrical signals when a person types a certain phrase.

Question 41

Types of Biometrics-Hand Topology

Answer 41

Looks at the size and width of an individual’s hand and fingers.

Question 42

Kerberos...

Answer 42

Kerberos-Symmetric key encryption

Question 43

Kerberos-KDC

Answer 43

Kerberos-trusted Key Distribution Center

Question 44

Kerberos-TGS

Answer 44

Ticket Granting Service

Question 45

Kerberos-AS

Answer 45

Authentication Server

Question 46

Kerberos…

Answer 46

KDC knows secret keys of Client and Server

Question 47

Kerberos…

Answer 47

KDC exchanges info with the Client and the Server using symmetric keys

Question 48

Kerberos…

Answer 48

Using TGS grants temporary symmetric key

Question 49

Kerberos-Initial Exchange

Answer 49

Client sends Hash Password to the TGS Server, TGS verifies with the Auth. Server TGS Server responds with: 1) Key for Client and TGS server encrypted with Client Key [K(c,tgs)]Kc 2) Ticket Granting Ticket (TGT) = [K(c, tgs), c,a,v]K(tgs)

Question 50

Kerberos-Request for Service

Answer 50

Client sends request for service to TGS with 1) TGT = [K(c, tgs), c,a,v]K(tgs) 2) Authenticator K(c, tgs)

Question 51

Kerberos-TGS Issues Ticket for Service

Answer 51

TGS sends Client back ticket for server and authenticator for server 1) Ticket T(c,s) = [s,c,a,v,K(c,s)]Ks 2) [K(c,s)]K(c,tgs)

Question 52

Kerberos-Receive Service from Server

Answer 52

Client sends Server 1) Ticket T(c,s) = [s,c,a,v,K(c,s)]Ks 2) authenticator = [c,t,key]K(c,s)

Question 53

Kerberos weaknesses...

Answer 53

Replay is possible within time frame

Question 54

Kerberos weaknesses…

Answer 54

TGS and Auth server are vulnerable as they know everything

Question 55

Kerberos weaknesses…

Answer 55

Initial exchange passed on password authentication

Question 56

Kerberos weaknesses…

Answer 56

Keys are vulnerable

Question 57

SESAME

Answer 57

Secure European System for Applications in a Multi-vendor Environment • Uses Needham-Schroeder protocol • Uses public key cryptography • Supports MD5 and CRC32 Hashing • Uses two tickets 1) One contains authentication 2) One contains the access rights to the client

Question 58

SESAME weaknesses…Only authenticates by using first block of message

Answer 58

Only authenticates by using first block of message

Question 59

SESAME weaknesses…Initial exchange passed on password authentication

Answer 59

SESAME weaknesses…SESAME incorporates two certificates or tickets: One certificate provides authentication as in Kerberos and the other certificate defines the access privileges that are assigned to a client.

Question 60

KryptoKnight

Answer 60

```  Peer to peer relationship between KDC – Key Distribution Center and parties (Client and Server)  NetSP is based on KryptoKnight  Supported by RACF • Authentication • Key Distribution • Data Privacy • Data Integrity • Single Sign-On • Administration ```

Question 61

Centralized ACL-RADIUS

Answer 61

Remote Access Dial-In User Service (incorporates an AS and dynamic password)

Question 62

Centralized ACL-TACACS

Answer 62

Terminal Access Controller Access Control System (for network applications, static pwd)

Question 63

Centralized ACL-TACACS+

Answer 63

Terminal Access Controller Access Control System Plus, supports token authentication

Question 64

Centralized ACL-CHAP

Answer 64

Challenge Handshake Authentication Protocol | Supports encryption, protects password

Question 65

Decentralized ACL-Relational Database Security

Answer 65

* Relational Databases support queries | * Object oriented databases do not support queries

Question 66

Relational Database

Answer 66

* Data structures called tables (relations) * Integrity Rules on allowable values * Operators on the data in tables

Question 67

Persistency

Answer 67

preservation of integrity through the use of nonvolatile storage media

Question 68

Schema

Answer 68

* Description of the database | * Defined by Data Description Layer (DDL)

Question 69

DBMS

Answer 69

Database Management System • provides access to the database • Allows restriction of access

Question 70

Relational Database

Answer 70

* Relation (table) is the basis of a relational database – relation is represented by a table * Rows = Records (tuples) * Column = Attributes

Question 71

Relational Database-Primary Key

Answer 71

* Unambiguously identifies a record. Points to a record (tuple) * Every row (record, tuple) must contain the primary key of the relation (table)

Question 72

Relational Database-Cardinality

Answer 72

of rows in a relationship (table)

Question 73

Relational Database-Degree

Answer 73

of columns in a relationship (table)

Question 74

Relational Database-Candidate key

Answer 74

any identifier that is a unique to the record

Question 75

Relational Database-Foreign Key

Answer 75

any value that matches the primary key of another relation (table)

Question 76

Relational Database Operations

Answer 76

* Select – based on criteria i.e. all items with value > $300.00 * Join - join tables based on a common value * Union – forms a new relation (table) from two other relations * View – (virtual table) uses join, project, select - Views can be used to restrict access (least privileges)

Question 77

Relational Database Query plan

Answer 77

* Comprised of implementation procedures, lowest cost plan based on “cost” * Costs are CPU time, Disk Access * Bind – used to create plan

Question 78

Data Normalization

Answer 78

Ensures that attributes in a table rely only on the primary key • Eliminates repeating groups • Eliminates redundant data • Eliminates attributes not dependent on the primary key

Question 79

SQL – Structured Query Language

Answer 79

* Select * Update * Delete * Insert * Grant – Access Privileges * Revoke – Access Privileges

Question 80

OODB

Answer 80

Object Oriented Databases: • Best suited for multi-media, graphics • Steep learning curve • High overhead

Question 81

Network Based IDS

Answer 81

* Real Time | * Passive

Question 82

Host Based IDS

Answer 82

* System and event logs | * Limited by log capabilities

Question 83

Signature Based – (Knowledge Based) IDS

Answer 83

* Signatures of an attack are stored and referenced * Failure to recognize slow attacks * Must have signature stored to identify

Question 84

Statistical Anomaly Based (Behavior Based) IDS

Answer 84

* IDS determines “normal” usage profile using statistical samples * Detects anomaly from the normal profile

Question 85

Access Control Issues

Answer 85

* Confidentiality * Integrity * Availability * Accountability of users

Question 86

Measures for compensating for both internal and external access violations

Answer 86

* Backups * RAID – Redundant Array of Inexpensive Disks * Fault Tolerance * Business Continuity Planning * Insurance