Video Content Lesson 2 Flashcards
Access Control
Protects data from unauthorized access
2 parts of CIA
Confidentiality - no unauthorized reads
Integrity - no unauthorized writes
Subject is an entity that requests access to data (active)
Object is an entity that contains or controls data (passive)
Least Privilege
Grant subjects only enough access to objects to perform required tasks
Goal is to limit “authorization creep”
Accidental authorization can be given to subject
Accountability
Log every access by a subject to an object or group of objects
Ensures subject to adhere to security policy
provides deterrent to unauthorized behavior
Access Controls
Use Controls as they provide a safeguard to protect an object from a threat
Object Controls are loosely organized into three groups
1-Physical Access Controls
2-Administrative Access Controls
3-Logical Access Controls
Physical Access Controls
Controls that limit physical access to hardware
Perimeter Security–fences, walls, limited access rooms, cable protection
shielding from emanations, cabling media choice (fiber optic–NO emanations)
conduit or other physical protection (protect cable)
Separation of duties and work areas–minimize “shoulder surfing”
keep single person from completing a sensitive process
Administrative Access Control
Set of rules/strategies Policies and Procedures Hiring Practices Policies Security Awareness Training Monitoring-validates processes
Logical Access Control
Technical controls
Object access restrictions (only allow access by authorized users)
Encryption (only allow authorized users to read data)
Network architecture/sergregation (use architecture to keep network segments separate)
Data Classification
Controls can be expensive
Only protect what must be protected
Data Classification (Identifies valuable data, satisfies legal or regulatory criteria, helps in choosing appropriate controls)
Classification Criteria
Value or usefulness
Age
Laws and Regulations
Personal association
Data Responsibility
1-Owner (member of middle/upper management and ultimate responsibility for data security)
2-Custodian (responsible for control implementation and maintenance)
3-User (Routinely uses data)
Commercial Data (Integrity and Availability)
1-Public
2-Sensitive
3-Private
4-Confidential
Government Data (Confidentiality)
1-Unclassified 2-Sensitive but Unclassified (SBU) 3-Confidential 4-Secret 5-Top Secret
Access Control Techniques
1-Control Types 2-Control Categories 3-Security Labels 4-Discretionary 5-Mandatory 6-Nondiscretionary 7-Access Control Lists
Access Control Types
Controls apply to threat events Preventative (avoid event) Detective (identify event) Deterrent (discourage event) Corrective (fix event) Recovery (restore)
Control Categories
Physical preventative control (badge/access card)
Technical preventative control (Database views, encryption, antivirus software)
Administrative detective control (policy, audit, logs)
Security Labels
Assign classification levels to objects and subjects
Subject must be at or above clearance level of object
Use of label in table
Discretionary
1-Discretionary Access Control (DAC) (identity-based access control, owner specifies who can have access to objects) this is most common access control in commercial arena
Mandatory
2-Mandatory Access Control (MAC) (rule-based access control, subjects clearance compared to objects security level)
Nondiscretionary
Role-based access control (access granted based on user’s job description)
Lattice-based access control (both the subject’s role and task to accomplish)
Common in envirionments with frequent personnel changes
Frequently uses access table
Access Control Lists
Specific about which users can access which objects
can be based on users, roles, or groups
Access Control Implementation
1-Centralized Authentication 2-RADIUS 3-TACACS 4-Decentralized 5-Hybrid Model
Centralized Authentication
All access to objects controlled by a single entity
Ease of administration
Allows for strict access control
Can be slower with large number of users
Single point of failure (impact availability)
RADIUS
Centralized Aunthentication Type (RADIUS)
Remote Authentication Dial-In User Service
TACACS
Terminal Access Controller Access Control System
Authentication and Authorization for direct access
Only requires single-factor authentication (one piece of input)
TACACS+ Implements two-factor authentication (two pieces of input)
Decentralized
Remote authentication
Access administration is handled closer to the objects being controlled
Requires more administration overhead
Security domain (sphere of influence, group of objects that a subject can access, defined by domains)
Hybrid Model
Blend Centralized and Decentralized
Use Centralized authentication for high security resources, sensitive data, databases
Use Decentralized authentication for less sensitive data, local files, etc
Identification and Authentication
1-Phases 2-Type 1 Authentication 3-Type 2 Authentication 4-Type 3 Authentication 5-Single Sign-on 6-Kerberos 7-Kerberos Process 8-SESAME
Phases
Identification
Authentication
Type 1 Authentication (what you know)
Passwords, PINs, Passphrases Ensure strong passwords with policies Password Length Expiration Date Good Passwords Watch for Mistakes Keep Passwords Secret Don't Reuse Don't Write it
Type 2 Authentication (what you have)
Tokens, Tickets, One-time Password Smart Card producing Time-based password Synchronous / Asynchronous device Used in two-factor authentication more complex user must possess token all of the time
Type 3 Authentication (who you are)
Physical characteristics Iris/Retinal Scan Fingerprint/handprint Voice pattern Keystroke pattern Signature False Rejection Rate (FRR) False Acceptance Rate (FAR) Crossover Error Rate (CER) Lower Crossover Error Rate is BEST
Single Sign-on
SSO simplifies signon system
Once signed into system no need to signin to various systems
Kerberos, SESAME, KRYPROKNIGHT, NETSP
Kerberos
Started as MIT’s project Athena
provides authentication and message protection
Uses symmetric key cryptography
Provides end-to-end security
Kerberos
Key Distribution Center (KDC)
Holds all cryptographic keys
Ticket (geneterated by the KDC to authenticate a subject)
Authentication Service for subject and object
Kerberos Process
Subject requests access to an object
KDC authenticates and generates a ticket
Subject validates ticket’s origin and sends it to object
File server authenticates the subject and grants access to object
SESAME
Secure European System for Applications in a Multivendor Environment (SESAME)
Uses public key cryptography to distribute secret keys (public and private keys)
Privilege Attribute Certificate passes authentication (like Ticket)
Attack and Monitor
Brute Force Dictionary Denial of Service Spoofing Man-in-the-Middle Access Control Assurance Monitoring Intrusion Detection Penetration Testing
Brute Force
Attempts to gain access many times using different input
Password guessing and war dialing are examples
Dictionary
More selective than a brute force attack
Submits identification credentials from a dictionary, or list of commonly user IDs
Denial of Service
attacks availability area of Triad
Attacker saturates network, rendering access to the system impossible or slow
Spoofing
Pretending to be someone else
Attacker presents a substitute login screen
Fake login screen stores the user ID and password, then displays a failed login message
Man-in-the-Middle
Uses a network sniffer, or hardware/software that intercepts network packets, to grab traffic en route to another destination
Access Control Assurance
The process of ensuring that the access controls are operating the way they were intended
Audit trail monitoring
Audit event types (network, system, application, user, keystroke)
Auditing issues and concerns (where store, enough storage room?, encripted?, who access it?)
Information Security Activities
Intrusion detection prevention (detects certain activity, raise alert, stop activity)
Penetration testing to try to break security
Other types of testing (access controls, applications, objects, full testing)
Monitoring
Event Log Auditing (system, application, user events)
Know system and regular process
Keystroke monitoring
Honeypot
Intrusion Detection
Intrusion Detection Systems (IDS) Monitor systems or network 2 Types (Network-based and Host-based) Looks for unusual activity Signature-based and sounds alarms Behavior-based looks for usage anomalies (must keep logs of activities) (sometimes called an expert system) (typically more false positives than signature-based)
Penetration
Legal Hacking
Try to get into network and systems
can uncover vulnerabilities
Some Pen Tests can be destructive (beware)