Domain 5 Flashcards
Identification
Subjects claim an identity, and identification can be as simple as a username for a user.
Authentication
Subjects prove their identity by providing
authentication credentials such as the
matching password for a username.
Authorization
After authenticating subjects, systems
authorize access to objects based on their
proven identity.
Accountability
Auditing logs and audit trails record events including the identity of the subject that performed an action.
identification + authentication + auditing = ACCOUNTABILITY
Primary Authentication Factors
Something you know (pin or password) type 1
Something you have (trusted) type 2
Something you are (biometric) type 3
Multifactor Authentication
includes two or more authentication factors
more secure than using a single authentication factor.
-Passwords are the weakest form of authentication, password policies help increase their security by enforcing complexity and history requirements.
-Smartcards include microprocessors and
cryptographic certificates
- Tokens create onetime passwords
- Biometric methods identify users based on characteristics such as fingerprints.
FAR
False acceptance rate occurs when an invalid subject is authenticated.
Type 2 biometric error (false positive)
FRR
False rejection rate occurs when a valid subject is rejected.
Type 1 biometric error (false negative)
CER
Crossover Error Rate
The crossover error rate identifies the accuracy of a biometric method.
It shows where the false rejection rate is equal to the false acceptance rate.
SSO
Single Sign-On is a mechanism that allows subjects to authenticate once and access multiple objects without authenticating again.
Common SSO methods/standards
— SAML — OAuth 2.0 — OpenID — Kerberos — SESAME — KryptoKnight
SAML
Security Assertion Markup Language
SSO Mechanism
Federated Identity Management
an XML based, open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
Uses tokens
OAuth 2.0
is an open standard for authorization, commonly used as a way for Internet users to log into third party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without exposing their password.
OpenID
managed through OpenID foundation
is an open standard, It provides decentralized authentication, allowing users to log into multiple unrelated websites with one set of credentials
maintained by a third party service referred to as an OpenID provider.
AAA Protocols
Several protocols provide centralized Authentication, Authorization, and Accounting services.
Network access or remote access systems use AAA protocols
RADIUS
TACACS+
Diameter
RADIUS
AAA protocol
uses UDP and encrypts the password only.
TACAS+
AAA protocol
uses TCP and encrypts the entire session.
Diameter
AAA protocol
is based on RADIUS and improves many of the weaknesses of RADIUS, but Diameter is not compatible with RADIUS.
Identity and access provisioning lifecycle
Refers to account
creation
management
deletion
Authorization Mechanisms
Access control models use many different types of authorization mechanisms, or methods to control who can access specific objects
Implicit Deny
A basic principle of access control is
implicit deny and most authorization
mechanisms use it.
The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.
Access Control Matrix
a table that includes subjects, objects, and assigned privileges. When a subject
attempts an action, the system checks the access control matrix to determine if the
subject has the appropriate privileges to perform the action.
Capability Tables
are another way to identify privileges assigned to subjects. They are different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles).
Constrained Interface
use constrained interfaces or restricted interfaces to restrict what users can do or
see based on their privileges. Users with full privileges have access.
Applications constrain the interface using different methods.
Content-Dependent Control
restrict access to data based on the content within an object.
A database view is a content dependent control.
Context-Dependent Control
require specific activity before granting
users access.
example: data flow for a transaction selling digital products
DAC
Discretionary Access Control
every object has an owner, and the owner can grant or deny access to any other subjects.
RBAC
Role Based Access Control
Instead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles.
Rule-based Access Control
applies global rules that apply to all subjects. Rules within this model are sometimes referred to as restrictions or filters
example: a firewall uses rules that allow or block traffic to all users equally.
ABAC
Attribute Based Access Control
this model is its use of rules that can include multiple attributes.
This allows it to be much more flexible than a rule based access control model that applies the rules to all subjects equally.
often used by software defined networks (SDNs)
MAC
Mandatory Access Control
uses of labels applied to both subjects and objects.
For example, if a user has a label of top secret, the user can be granted access to a top secret document. In this example, both the subject and the object have matching labels.
referred to as a lattice based model.
Preventative Access Controls
deployed to stop unwanted or unauthorized activity from occurring
EXAMPLES: fences, locks, biometrics, mantraps, alarm systems, job rotation, data classification, penetration testing, access control methods
Detective Access Controls
deployed to discover unwanted or unauthorized activity. Often are after the fact controls rather than real time controls.
EXAMPLES: security guards, guard dogs, motion detectors, job rotation, mandatory vacations, audit trails, intrusion detection systems, violation reports, honey pots, and incident investigations,
Corrective Access Controls
deployed to restore systems to normal after an unwanted or unauthorized
activity has occurred. minimal capability to respond to access violations.
EXAMPLES: intrusion detection systems, antivirus solutions, alarms, mantraps, business continuity planning, and security policies,
Deterrent Access Controls
deployed to discourage the violation of security policies. A deterrent control picks up where prevention leaves off.
EXAMPLES: locks, fences, security badges, security guards, mantraps,
security cameras, trespass or intrusion alarms, separation of duties, awareness training, encryption, auditing, and firewalls.
Administrative Access Controls
policies and procedures defined by an organizations security policy to
implement and enforce overall access control. Focus on two areas: personnel and business practices (e.g., people and policies).
EXAMPLES: policies, procedures, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision, personnel controls, and testing.
Logical/Technical Access Controls
the hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems.
EXAMPLES: encryption, smart cards, passwords, biometrics, constrained
interfaces, access control lists (ACLs), protocols, firewalls, routers, intrusion detection systems, and clipping levels.
Physical Access Controls
barriers deployed to prevent direct contact with systems or portions of a facility.
EXAMPLES: guards, fences, motion detectors, locked doors, sealed windows, lights, cable protections, laptop locks, swipe cards, guard dogs, video cameras, mantraps, and alarms.
Access Controls
deployed to provide options to other existing controls to aid in the enforcement and support of a security policy.
EXAMPLES: security policy, personnel supervision, monitoring, and work task procedures.
Directive Access Controls
deployed to direct, confine, or control the actions of subject to force or encourage compliance with security policies.
EXAMPLES: security guards, guard dogs, security policy, posted notifications, escape route exit signs, monitoring, supervising, work task procedures, and awareness training.
Recovery Access Controls
deployed to repair or restore resources, functions, and capabilities after a violation of security policies. more advanced or complex capability to respond to access violations than a corrective access control.
EXAMPLES: backups and restores, fault tolerant drive systems, server clustering, antivirus software, and database shadowing.
Basic Elements of Risk
-Risk is the possibility or likelihood that a threat can exploit a vulnerability and
cause damage to assets.
- Asset valuation identifies value of assets, threat modeling identifies threats against these assets.
- Vulnerability analysis identifies weaknesses in an organization’s valuable assets.
Dictionary Attacks
These are programs with built in dictionaries. They would use all dictionary
words to attempt and find the correct password, in the hope that a user would have used a standard dictionary word.
Brute Force
This type of attack is attempting to break the password by trying all possible words.
Spoofed logon screens
The last access control attack is to implement a fake logon screen, and when a user attempts to login, the logon screen will send the username and password to the hacker
Sniffer Attacks
In a sniffer attack (or snooping attack) an attacker uses a packet capturing tool (such as a sniffer or protocol analyzer) to capture, analyze, and read data sent over a network.
Attackers can easily read data sent over a network in cleartext
Spoofing Attacks
Spoofing is pretending to be something or someone else, and it is used in many types of attacks, including access control attacks. Attackers often try to obtain the credentials of users so that they can spoof the user’s identity.
Spoofing attacks include email spoofing, phone number spoofing, and IP spoofing.
Social Engineering
an attempt by an attacker to convince someone to provide info (like a password) or perform an action they wouldn’t normally perform (such as clicking on a malicious link)
Social engineers often try to gain access to the IT infrastructure or the physical facility.
Phishing
commonly used to try to trick users into giving up personal information (such as user accounts and passwords), click a malicious link, or open a malicious attachment.
Spear Phishing
phishing that targets specific groups of users
Whaling
phishing that targets high level executives.
Vishing
phishing that uses VoIP technologies.
Access Aggregation
is a type of attack that combines, or aggregates, non-sensitive information to learn sensitive information and is used in reconnaissance attacks.
How to prevent password attacks (dictionary, brute force)
Passwords should be long, complex and changed periodically
There should be a strong password policy in place to enforce.
Also enforcing other measures such as account lockout after X logon attempts, etc.
How to prevent spoofed logon screens
The Best prevention is to have secure endpoints, where these fake logon screens cannot be implemented
TEMPEST
allows the electronic emanations that every monitor produces to be read from a
distance (effective on CRT monitors).
Shoulder surfing for newer monitor displays
White Noise
broadcasting false traffic at all times to mask and hide the presence of real emanations.
Ways to prevent theft, which reduces risk
RFID, Barcoding, and Inventory
represent the ability to prevent theft, which reduces risk.
Kerberos
- Single sign-on
- common with active directory
- primary purpose is authentication, as it allows users to prove their identity.
- provides a measure of confidentiality and integrity using symmetric key encryption, but these are not its primary purpose.
- does not include logging capabilities so it does not provide accountability.
- susceptible to replay attacks
The Kerberos logon process
- The user types a username and password into the client.
- The client encrypts the username with AES for transmission to the KDC.
- The KDC verifies the username against a database of known credentials.
- The KDC generates a symmetric key that will be used by the client and the Kerberos server. It encrypts this with a hash of the user’s password. The KDC also generates an encrypted time-stamped TGT.
- The KDC then transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client.
- The client installs the TGT for use until it expires. The client also decrypts the symmetric key using a hash of the user’s password.
Kerberos Components
Key Distribution System (KDC) contains authentication service and ticket granting service
Authentication Service (AS) issues
Ticket Granting Tickets (TGT) passed to
Ticket Granting Service (TGS) issues
Service Tickets (ST) sent by user to
Services (systems/applications)
