Section 2: Key Concepts, Identification and Authorization Flashcards

1
Q

5 things that would make you’re information insecure.

A
  1. Not applying security patches or app updates to your system
  2. using weak passwords such as ‘password”
  3. Downloading programs from the internet
  4. Opening email attachments from unknown senders
  5. Using wireless networks without encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

4 examples of ways confidentiality could be compromised (ATM example)

A
  1. You could lose your laptop containing data
  2. Someone could look over your shoulder while you enter the password.
  3. You could send an email attachment to the wrong person
  4. Attackers could penetrate your system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Two things needed to maintain integrity

A
  1. you need to have the means to prevent unauthorized changes to your data
  2. you need the ability to reverse unwanted authorized changes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When is integrity particularly important?

A

when it concerns data that provides the foundation for other decisions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

4 examples of things that may cause you to lose availability of your data.

A
  1. power loss
  2. operating system or application problems
  3. network attacks
  4. a compromised system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is it called when an outside party like an attacker causes availability issues.

A

a DoS attack
(Denial of Service)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What 6 principles make up the Parkerian Hexad?

A
  1. Confidentiality
  2. Integrity
  3. Availability
  4. Possession / Control
  5. Authenticity
  6. Utility
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How is Integrity defined differently in the Parkerian Hexad model than it is in the CIA Triad.

A

In Parkerian Hexad, integrity doesn’t account for authorized but incorrect modification of data. The data must be whole and completely unchanged from its previous state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IF you send an email message that’s altered so it appears to have come from a different email than the one it was sent from, which Parkerian Hexad principle was violated?

A

Authenticity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which principle of the Parkerian Hexad isn’t necessarily binary in nature?

A

Utility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the 4 categories of attacks?

A
  1. Interception
  2. Interruption
  3. Modification
  4. Fabrication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What type or types of attacks primarily affect Confidentiality?

(CIA Triad)

A

Interception

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What type or types of attacks primarily affect Integrity?

(CIA Triad)

A
  1. Interruption
  2. Modification
  3. Fabrication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type or types of attacks primarily affect Availability?

(CIA Triad)

A
  1. Interruption
  2. Modification
  3. Fabrication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are interception attacks?

1.
2.
3.

A
  1. Unauthorized file viewing or copying
  2. Eavesdropping on phone conversations
  3. Reading someone else’s email
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What kind of data can interception attacks be conducted?

A

Data at rest and data in motion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Where is data at rest usually stored?

A
  1. hard drive
  2. flash drive
  3. database

(Can be more)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What kind of protection does data at rest usually have?

A

some sort of encryption, often at the level of the file or the entire storage device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What kind of protection does data in motion usually have?

A

encryption, but the encryption protects the network protocol or path used to move data from one place to another lol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What kind of protections surround data in use?

A

Permissions and authentication of users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are interruption attacks?

A

They make your assets unusable or unavailable either temporarily or permanently

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are modification attacks?

A

Involve tampering with an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are Fabrication Attacks?

A

Involve generating data, processes, communications, or other similar material.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is a threat?

A

Something that has the potential to cause harm and tends to be specific to certain environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is vulnerability?

A

Weaknesses, or holes that threats can exploit to cause you harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What do you need to have risk in an environment?

A

You must have both a threat and a matching vulnerability that that the threat could exploit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the 5 steps of the risk management process?

A
  1. Identify Assets
  2. Identify Threats
  3. Assess Vulnerabilities
  4. Assess Risks
  5. Mitigate Risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How would you identify your assets?

A

Enumerate your assets and evaluate the importance of each one.

Once you’ve identified assets in use, decide which ones are critical business assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

How would you determine which assets are critical to conducting business?

A

Generally would require the input of functions that make sue of that asset, those that support the asset itself, and potentially other parties as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

How would you Identify threats?

A

After enumerating critical business assets, you can begin to identify threats that might affect them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What 2 frameworks can be used to assess threats against business critical assets?

A
  1. CIA Triad
  2. Parkerian Hexad
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

How would you assess vulnerabilities?

A

Should be done in the context of potential threats.

Any asset can have millions of threats but only a small number will be relevant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

How should you assess risks?

A

Once you’ve identified threats and vulnerabilities for a given asset, you can assess overall risk.

You MUST have a matching threat and vulnerability to have a risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What 3 categories are controls divided into?

A
  1. physical
  2. logical
  3. administrative
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What kind of control would a lock be?

A

physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

what kind of control would a camera be?

A

physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

what kind of control would heating and air conditioning be?

A

physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

what kind of control would a backup power generator be?

A

physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Logical controls are also called what?

A

tehchnical controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

what kind of control is a password?

A

logical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

what kind of control is encryption?

A

Logical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

what kind of control are access controls?

A

logical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

what kind of control is an intrusion detection system?

A

logical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

what do logical controls do?

A

enable you to prevent unauthorized activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

which kind of control, if implemented properly and is successful, would an attacker or unauthorized user be unable to access your applications and data without subverting the controls?

A

logical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

what do administrative controls represent?

A

authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Administrative controls are useless without what?

A

The authority or ability to ensure that people comply with your controls.

They can actively harm you by giving you a false sense of security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Incident response process consists of what 6 things?

A
  1. Preparation
  2. Detection and analysis
  3. Containment
  4. Eradication
  5. Recovery
  6. Post-incident activity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Preparation phase of an incident response consists of what?

A

All of the activities you can perform ahead of time to better handle an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What activities are typically involved in preparation of an incident response?

A
  1. Creating policies and procedures that govern indecent response and handling
  2. Conducting training and education for both incident handlers and those who are expected to report incidences
  3. Developing and maintaining documentation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What is the detection and analysis phase?
(3)

A

Where action begins in an incident response. This is where you:

  1. Detect an issue
  2. Decide whether it’s actually an incident
  3. Respond appropriately
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What are the common detection tools you’ll use? (6)

A
  1. IDS (Intrustion detection system)
  2. AV (Antivirus) software
  3. Firewall logs
  4. Proxy logs
  5. Alerts from a security information and event monitoring (SIEM) tool
  6. Managed security service provider (MSSP)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

The analysis portion of detection and analysis in incident response is often a combination of what? (2)

A

Automation from a tool or service, usually a SIEM tool, and human judgment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What might human intervention looks like in analyzing incidences?

A
  1. A review of logs output by various security, network and infrastructure devices.
  2. Contact with the party who reported the incident
  3. General evaluation of the situation.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What is Containment in incident response?

A

Taking steps to ensure that the situation doesn’t cause any more damage than it already has—or at least lessen any ongoing harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What is eradication in incident response?

A

Attempt to remove the effects of the issue from your environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What is recovery in incident response?

A

Recover the state you were in prior to the incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What is post-incident activity?

A

You’ll attempt to determine specifically what happened, why it happened, and what you can do to keep it from happening again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What is defense in depth?

A

Formulate a multilayered defense that will allow you to still mount a successful resistance should one or more of your defensive measures fail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What is the lowest standard of defenses you would want?

A
  1. Data
  2. Applications
  3. Host
  4. Internal network
  5. External network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What is the goal of defense in depth?

A

To place enough defensive measures between your truly important asses and the attacker so that you’ll notice that an attack is in progress and have enough time to prevent it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What is insufficient entropy?

A

Not enough unpredictability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What are 6 defensive measures for external networks?

A
  1. DMZ (Demilitarized zone—subnetwork containing an organizations exposed outward facing services. Acts as the exposed point to an untrusted network)
  2. VPN
  3. Logging
  4. Auditing
  5. Penetration testing
  6. Vulnerability analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Name 7 defensive measures of network perimeters.

A
  1. Firewalls
  2. Proxy
  3. Logging
  4. State full packet inspection
  5. Auditing
  6. Penetration testing
  7. Vulnerability analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Name 6 defensive measures for internal networks

A
  1. IDS (Intrusion detection system)
  2. IPS (Intrusion prevention system)
  3. Logging
  4. Auditing
  5. Penetration testing
  6. Vulnerability Analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Name 11 defensive measures for hosts.

A
  1. Authentication
  2. Antivirus
  3. Firewall
  4. IDS (Intrusion detection system)
  5. IPS (Intrustion protection system)
  6. Passwords
  7. Hashing
  8. Logging
  9. Auditing
  10. Penetration testing
  11. Vulnerability analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Name 6 defensive measures for applications

A
  1. SSO (Single sign on)
  2. Content filtering
  3. Data validation
  4. Auditing
  5. Penetration testing
  6. Vulnerability analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Name 5 defensive measures for data

A
  1. Encryption
  2. Access controls
  3. Backups
  4. Penetration testing
  5. Vulnerability analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Areas of Information Security (8)

A
  1. Security and risk management
  2. Asset security
  3. Security architecture and engineering
  4. communications and network security
  5. identity and access management
  6. security assessment and testing
  7. security operations
  8. software development security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Implicit deny is what?

A

Common in network security

An ACL rule that blocks all traffic that hasn’t been explicitly allowed via another acl rule.

ACL= Access Control List

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What is FISMA (Federal Information Security Act)?

A

US law that puts together information security framework that government organizations must follow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

What is the Gramm-Leach-Bliley Act?

A

If you’re a financial institution—you must explain your information sharing activities with customer data and making sure you safeguard that data.

How are you proactively securing that Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

What is Due Care?

A

Often called the “prudent man” rule.

Doing what any responsible person would do, in other works implementing a security measure to mitigate against certain risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What is due diligence?

A

Essentially the management of due care.

Ensuring the implemented security measure was done correctly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What is gross negligence?

A

The opposite of due care.

If you’re not performing due care, or what a “prudent man” would do, and you suffer a negative loss, you could be held legally liable, I.e. you acted with gross negligence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Authentication can be used to prove the identity of: (4)

A
  1. A user
  2. A service or process running on a computer or server
  3. A workstation or server itself
  4. A network device
77
Q

What is a common example of authentication?

A

Username and password

78
Q

What are 3 aspects of IT management?

A
  1. People
  2. Processes (things running on our servers)
  3. Technology (devices themselves)
79
Q

What are the 5 factors of authentication?

A
  1. Something you know
  2. Something you have
  3. Something you are
  4. Something you do
  5. Somewhere you are
80
Q

Name 2 examples of something you know form of authentication?

A
  1. Password
  2. Pin
81
Q

Name 3 examples of something you have types of authentication.

A
  1. Smart card
  2. RSA token
  3. ATM card to get cash .

Things you must physically have in front of you

82
Q

Name an example of something you are types of authentication.

A

Biometrics

83
Q

Name 5 types of physiological Biometrics

A
  1. Face
  2. Fingerprint
  3. Hand scan
  4. Iris scan
  5. DNA
84
Q

Name 3 kinds of behavioral biometrics?

A
  1. Keystroke
  2. Signature
  3. Voice
85
Q

What is two-factor authentication?

A

Uses a combination of two of the three factors of authentication.

  1. Something you have
  2. Something you know
  3. Something you are
86
Q

What is non-repudiation?

A

Used to prevent an entity from denying an action took place.

87
Q

Name two examples of non-repudiation.

A
  1. Digitally signed documents
  2. Auditing system logs
88
Q

What is information security governance?

A

The process of how an organization manages its information security program via policies, procedures, roles, and responsibilities.

Determines how much security is enough security.

89
Q

Why is information security governance important?

A

It provides strategic direction for security activities and ensures that cybersecurity objectives such as effective risk management are achieved.

90
Q

What is identity proofing?

A

Validating someone’s identity before credentials are issued.

91
Q

What is a risk assessment score?

A

probability X impact.

92
Q

What is avoidance?

A

The process of eliminating a risk by not engaging in an activity.

We avoid a risk by eliminating it’s source altogether.

93
Q

What is acceptance?

A

Accepting an identified risk, meaning no action will be taken when a risk assessment score is low.

94
Q

What is mitigation?

A

The process of taking steps the minimize the impact of risk

95
Q

What is Transference?

A

Transferring the responsibility of a risk to a third party, such as insurance.

96
Q

What is residual risk?

A

The risk that remains when after risk mitigation or transference activities have taken place.

97
Q

Name 5 types of risk? (loss)

A
  1. Monetary
  2. Reputation
  3. Loss of Asset
  4. Intellectual Property
  5. Legal
98
Q

Name 3 sources of threats.

A
  1. Natural
  2. Unintentional
  3. Intentional
99
Q

What is Qualitative Risk?

A

More subjective way of analyzing risk

100
Q

What is Quatitative Risk?

A

More objective way of analyzing risk.

May include specific monetary values, how often it occurs, uses mathematics etc.

101
Q

What is AV? (Asset Value)

A

The value of an asset

102
Q

What is EF (exposure factor)?

A

the percentage loss of a specific asset if a risk is realized.

103
Q

What is SLE (Single loss expectancy)?

A

The monetary value expected from the occurrence of a risk on an asset

104
Q

What is the formula for SLE

A

SLE = AV x EF

(Single loss expectancy = Asset Value X Exposure Factor)

105
Q

What is ARO (Annual rate of occurrence?)

A

the estimated frequency of a threat occurring in a single year

106
Q

What is ALE (Annualized Loss Expectancy)

A

the expected monetary loss that can be expected from an asset due to a risk over a one year period

107
Q

What is the formula to calculate ALE (Annualized loss expectancy)

A

ALE = SLE x ARO

(Annualized loss expectancy = Single loss expectancy X Annual rate of occurrence)

108
Q

What is an attack surface?

A

Is a vulnerability. It’s any way an attacker can gain access to pose a security risk.

109
Q

What are 3 common attack surfaces?

A
  1. Application: that are running on our network
  2. Network (itself)
  3. User
110
Q

When analyzing our applications for attack surfaces we commonly look at:

A
  1. The amount of code (Higher chance of back doors and errors)
  2. Data inputs (should be validated data)
  3. System Services
  4. Network Communication ports (Applications that are communicating on the network through port, attacker might be able to attack server/system through open port)
111
Q

When analyzing our network for attack surfaces, we will commonly look at: (4)

A
  1. Overall network design
  2. Placement of Mission critical servers and systems
  3. Placement & configuration of network firewalls
  4. Other security-Related devices and services: IDS, IPS, VPN, etc.
112
Q

When analyzing user for attack surfaces, well commonly look at: (4)

A
  1. Effectiveness of Policies, Procedures, and Training
  2. Risk of social engineering
  3. Potential for human error
  4. Risk of Malicious Behavior
113
Q

Name 7 types of assets

A
  1. People
  2. Information
  3. Data
  4. Hardware
  5. Software
  6. Processes
  7. Ideas

Anything of value to the company

114
Q

What are the 5 steps to the Assett identification and classification process?

A
  1. Inventory your assets
  2. Assign Ownership
  3. Classify based on value
  4. protect based on value classification
  5. Periodically assess and review
115
Q

What are the 5 steps in the asset lifecycle

A
  1. identify and classify (new assets should be)
  2. secure (based on classified value)
  3. monitor (regularly for changes in value and effectiveness of security controls)
  4. recovery (if an asset is adversely impacted, recovery measures should be in place)
  5. disposition
116
Q

What are the 2 methods of disposing of an asset?

A
  1. archiving for long-term storage
  2. defensible destruction : insuring there is no data remanence
117
Q

What is a reverse shell?

A

enables an attacker to gain remote access to and control of a machine by bypassing firewall safeguards

118
Q

What is identification?

A

Makes a claim about what someone or something is

119
Q

What is authentication?

A

Establishes whether something or someone is what they’re supposed to be

120
Q

Is identity verification less or more strong than authentication?

A

It’s less strong than authentication.

121
Q

What is the difference between authentication and authorization?

A

Authentication is a set of methods used to establish whether a claim of identity is true.

Authorization determines what someone is permitted to do.

122
Q

What is mutual authentication?

A

An authentication mechanism in which both parties in a transaction authenticate each other.

These are typically software based. (Client-server; server-client)

123
Q

What does mutual authentication generally rely on?

A

Digital certificates.

124
Q

What kind of attack do you leave yourself vulnerable to when you don’t perform mutual authentication?

A

MITM (Man in the middle)

125
Q

How does a MITM (man in the middle) attack work?

A

attacks where the attacker inserts themselves between the client and the server and impersonates the server to the client and the client to the server.

They circumvent the normal pattern of traffic and then intercept and forward the traffic that would normally flow directly between the client and the server

126
Q

What is manual synchronization of passwords?

A

Using the same password everywhere

127
Q

What is minutiae?

A

Noting elements that appear at certain parts of the image

128
Q

What 7 characteristics are biometric factors defined by?

A
  1. Universality
  2. Uniqueness
  3. Permanence
  4. Collectibility
  5. Performance
  6. Acceptability
  7. Circumvention
129
Q

What is universality

A

Should be able to find your chosen biometric characteristic in the majority of people you expect to enroll in the system.

130
Q

What is uniqueness?

A

A measure of how unique a characteristic is among individuals

131
Q

What is permanence?

A

Tests how well a characteristic resists changes over time and with advancing age.

132
Q

What is collectability?

A

Measures how easy it is to acquire a characteristic.

133
Q

What is performance?

A

How well a given biometric system functions based on factors such a s speed, accuracy, and error rate.

134
Q

Hat is acceptability?

A

A measure of how acceptable the characteristic is to the users of the system.

In general, systems that are slow, difficult to use or awkward to use are less likely to be acceptable.

135
Q

What is circumvention?

A

Describes how easy it is to trick a system by using a falsified biometric identifier.

136
Q

What is a gummy finger?

A

A type of biometric identification attack where a fingerprint is lifted from a surface and used to create a mold with which the attacker can cast a positive image of the fingerprint in gelatin.

137
Q

What secondary features of biometric systems have been put in place to defeat gummy attacks?

A

Measuring skin temperature, pulse, or pupillary response.

138
Q

What are 2 of the mot important measures of biometric performance?

A
  1. FAR (false acceptance rate)
  2. FRR (False rejection rate)
139
Q

What is ERR equal error rate?

A

A balance between false acceptance and false rejection of biometric data.

Is often used as a measure of the accuracy of biometric systems.

140
Q

What are hardware tokens?

A

A small device, typically in the general form factor of a credit card or keychain fob.

Contains a certificate or unique identifier.

141
Q

What do more complex hardware tokens have that differentiates them?

A

LCD’s (Liquid crystal displays),
Keypads for entering passwords
Biometric readers
Wireless devices
Additional features to enhance security

142
Q

What are access controls?

A

Generally how you implement authorization, by using tools and systems you use to deny or allow access.

143
Q

What 4 basic tasks would you probably want to use access control for?

A
  1. Allowing access
  2. Denying access
  3. Limiting access
  4. Revoking access
144
Q

Name one example of a sandbox?

A

JVM Java virtual Machine

145
Q

What are the two main methods of implementing access controls?

A
  1. Access control lists
  2. Capabilities
146
Q

What are access control lists?

A

Lists containing information about what kind of access certain parties are allowed to have in a given system.

147
Q

What are the three types of permissions in an ACL access control list file system?

A
  1. Read allowing user to access the contents of the file or directory
  2. Write allowing a user to write a file or directory
  3. Execute allowing a user to execute the contents of that file if the file contains a program or script capable or running on the system in question.
148
Q

What command would you issue on a Linux-based OS to view the three sets of permissions? (For viewing files)

A

Ls -la

149
Q

In Linux, when looking at ACL permissions, what do each of the 4 sections represent
- | r w - | r - - | r - -

A
  1. First character = file type. R=regular D=Directory
  2. Represents the user who owns the files permissions and is set to r w. Meaning user can read and write but not execute.
  3. Group permissions= set to r - - meaning that members of the group that was given ownership and read it but not write or execute it.
  4. Other is also set to r - - meaning anyone who is not the user who owns the file or in the group that owns the file can also read it but not write or execute it.
150
Q

What do you use to filter access in network ACL’s

(3)

A
  1. IP (Internet Protocol) addresses
  2. Media Access Control Addresses
  3. Ports
151
Q

What network infrastructure can you see network ACL’s
(3)

A
  1. Routers
  2. Switches
  3. Firewall devices including software firewalls such as google, facebook, email, etc.
152
Q

How to network ACL’s work?

A

Tend to be binary, either allow or deny by granting or denying access to traffic.

153
Q

What is media access control addresses?

A

Unique identifiers hard-coded into each network interface in a given system.

154
Q

Why is media access control not a good choice for a unique identifier of a device on a network?

A

Because software settings in most OS can override this address, thus changing it is easy.

155
Q

Why aren’t IP adresses a good form of network ACL?

A

Because you can falsify an IP address, they’re not unique to a network and they’re issued by ISP’s and are subject to frequently change.

156
Q

What is blackholing?

A

It’s the use of large-scale filtering to block out known attacks, spammers, or undesirable traffic and can be applied to IP addresses, ISP’s or even entire countries.

157
Q

What are network ports?

A

A numerical designation for one side of a connection between two devices and are used to identify applications to which traffic should be routed.

158
Q

Why aren’t network ports a great method of ACL?

A

Because while ports being used for specific applications are conventions, they aren’t absolute rules and you can thus with relative ease change the ports that applications use to entirely different ones

159
Q

What is a socket?

A

A combination of an IP address and a network port.

160
Q

Systems that use ACL’s to manage permissions are vulnerable to what kind of attack?

A

Confused deputy problem

161
Q

What is the confused deputy problem?

A

It’s a type of attack used when ACL’s are used to manage permissions and occurs when software with access to a resource (the deputy) has a greater level of permission to access the resource than the user who is controlling the software. If you can trick the software into misusing its greater level of authority, you can potentially carry out an attack.

162
Q

What are client-side attacks?

A

Tricking the user into taking some action when they really think they are doing something else entirely. They take advantage of weaknesses in applications running on the users computers.

163
Q

Name 3 forms client-side attacks could take. (examples of how they may be carried out)

A
  1. Code sent through web browser and executed on the local machine.
  2. Malformed PDF files
  3. Images and videos with attack code embedded.
164
Q

Name 2 of the more common attacks exploiting the confused deputy problem.

A
  1. Cross-site request forgery (CSRF)
  2. Clickjacking
165
Q

What is CSRF (cross-site request forgery)?

A

An attack that misuses the authority of the browser on the user’s computer.

If the attacker knows of or can guess a website that has already been authenticated by the user such as amazon.com, the attacker can embed a link in a web page or HTML-based email, generally to an image hosted from a site controlled by the attacker. When the targets browser attempts to retrieve the image in the link, it also executes the additional commands the attacker has embedded in it, often completely invisible to the target.

166
Q

What is clickjacking?

A

Also known as user interface redressing.

Takes advantage of some of the page rendering features that are available in newer web browsers.

Attacker must legitimately control or have taken control of some portion of a website. Attacker constructs or modifies the site by placing an invisible layer over something the client would normally click. This causes the client to execute a command that’s different than the one they think they’re performing.

Can be used to trick the client into making purchases, changing permissions on applications or operating systems, or performing other unwanted activities.

167
Q

What is a capability?

A

It’s a way of controlling access and permissions based on a user’s token or key.

These generally aren’t physical tokens.

168
Q

In a capability-based system how is the right to access a resource decided?

A

Based on possession of the token rather than who possesses the token. Anyone can use the token and anyone who has that token can use it to access anything granted to that token.

169
Q

What is an access control model?

A

A way of determining who should be allowed to access what resources.

170
Q

What are the 6 most common access control models?

A
  1. Discretionary access control
  2. Mandatory access control
  3. Rule-based access control
  4. Role-based access control
  5. Attribute-based access control
  6. Multi-level access control
171
Q

What is DAC (Discretionary Access Control)

A

The owner of the resource d determines who gets access to it and exactly what level of access they can have.

172
Q

What is MAC (mandatory access control)

A

The owner of a resource doesn’t get to decide who gets access to it. Instead, a separate group or individual has the authority to set access to resources.

MAC is often implemented in government organizations where access to a given resource is largely dictated by the sensitivity label applied to it.

173
Q

What is rule-based access control?

A

Allows access according to a set of rules defined by the system administrator. If the rule is matched, access to the resource will be granted or denied accordingly.

174
Q

What is role-based access control. (RBAC)

A

Allows access based on the role of the individual being granted access.

175
Q

What type of access control is RBAC?

A

Role based access control

(Not rule-based access control)

176
Q

What is ABAC? (Attribute-based access control)

A

Based on the specific attributes of a person, resource, or environment. You can often find it implemented on infrastructure systems such as those in network or telecommunication environments.

177
Q

What are subject attributes?

A

A potential attribute in attribute-based access control.

Belong to an individual. Could be height, or captcha’s

178
Q

What are resource attributes?

A

A potential attribute in attribute-based access control.

Belong to a resource such as an operating system or application. You’ll often see access controlled by resource attributes.

Sometimes this is technical such as software only running on a particular OS.

179
Q

What are environmental attributes?

A

A kind of attribute that may be used in attribute-based access control.

Enables access controls based on environmental conditions. People commonly use time to control access to physical and logical resources.

180
Q

What is multilevel access control?

A

Combine several of the access control models. Used when simpler access control models aren’t considered robust enough to protect the information to which you’re controlling access.

181
Q

What kind of access control is the Bell-LaPadula Model?

A

Multilevel access control

182
Q

What is the Bell-LaPadula Model?

A

Implements a combination of discretionary and mandatory access controls (DAC and MAC) and is primarily concerned with the confidentiality of the resource in question.

183
Q

What is the simple security property?

A

Level of access granted to an individual must be at least as high as the classification of the resource in order for the individual to access it.

Individual cannot read a resource classified at a higher level but they can red resources at a lower level.

184
Q

What is the * property (or star property)

A

Anyone accessing a resource can only write (copy) its contents to another resource classified at the same level or higher.

185
Q

What is the Biba model?

A

Primarily concerned with protecting the integrity of data, even at the expense of confidentiality.

186
Q

what 2 security rules does Biba have?

A
  1. The simple integrity axiom level of access granted to an individual must be no lower than the classification of the resource. Ie, access to one level does not grant access to lower levels
  2. The integrity axiom (or star integrity axiom) anyone accessing a resource can only write its contents to a resource classified at the same level or lower.
187
Q

No read down, no write up

A

The Biba model

188
Q

No read up, no write down

A

The Bell-LaPadula model