Domain 2 – Access Control Systems Flashcards
Confidentiality
Not disclosed to unauthorized person
Integrity
- Prevention of modification by unauthorized users
- Prevention of unauthorized changes by otherwise authorized users
- Internal and External Consistency
- Internal Consistency within the system (i.e. within a database the sum of subtotals is equal to the sum of all units)
- External Consistency – database with the real world (i.e. database total is equal to the actual inventory in the warehouse)
Availability
Timely access
Three things to consider
- Threats – potential to cause harm
- Vulnerabilities – weakness that can be exploited
- Risk – potential for harm
Controls-Preventative
prevent harmful occurrence
Controls-Detective
detect after harmful occurrence
Controls-Corrective
restore after harmful occurrence
Controls-Administrative
polices and procedures
Controls-Logical or Technical
restricted access
Controls-Physical
locked doors
Mandatory access control (MAC)
Authorization of subject’s access to an object depends on labels (sensitivity levels), which indicate subject’s clearance, and the classification or sensitivity of the object
• Every Object is assigned a sensitivity level/label and only users authorized up to that particular level can access the object
• Access depends on rules and not by the identity of the subjects or objects alone
• Only administrator (not owners) may change category of a resource — Orange book B-level
• Output is labeled as to sensitivity level
• Unlike permission bits or ACLs, labels cannot ordinarily be changed
• Can’t copy a labeled file into another file with a different label
• Rule based AC
- Discretionary Access Control (DAC)
Subject has authority, within certain limits, to specify what objects can be accessible (e.g., use of ACL)
• User-directed means a user has discretion
• Identity-based means discretionary access control is based on the subjects identity
• Very common in commercial context because of flexibility
• Orange book C level
• Relies on object owner to control access
• Identity Based AC
- Non-Discretionary Access Control
Central authority determines what subjects can have access to certain objects based on organization’s security policy (good for high turnover)
• May be based on individual’s role in the organization (Role-Based) or the subject’s responsibilities or duties (task-based)
Lattice based
provides least access privileges of the access pair
• Greatest lower bound
• Lowest upper bound
Administrative Preventative
Policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks.
Administrative Detective
Polices and procedures, job rotation, sharing of responsibilities
Technical Preventative
Logical system controls, smart cards, bio-metrics, menu shell
Technical Detective
IDS, logging, monitoring, clipping levels
Physical Preventative
Restrict physical access, guards, man trap, gates
Physical Detective
Motion detectors, cameras, thermal detectors
Identification
establishes accountability
Three Factor Authentication
- Something you know (password)
- Something you have (token)
- Something you are (biometrics)
- Sometimes - something you do
Passwords
- Static – same each time
* Dynamic – changes each time you logon
Tokens – Smartcards
Static Password (like software with pin)
• Owner Authenticates to the token
• Token authenticates to the system