Video Content Lesson 2

Question 2

Access Control

Answer 2

Protects data from unauthorized access
2 parts of CIA
Confidentiality - no unauthorized reads
Integrity - no unauthorized writes
Subject is an entity that requests access to data (active)
Object is an entity that contains or controls data (passive)

Question 3

Least Privilege

Answer 3

Grant subjects only enough access to objects to perform required tasks
Goal is to limit “authorization creep”
Accidental authorization can be given to subject

Question 4

Accountability

Answer 4

Log every access by a subject to an object or group of objects
Ensures subject to adhere to security policy
provides deterrent to unauthorized behavior

Question 5

Access Controls

Answer 5

Use Controls as they provide a safeguard to protect an object from a threat
Object Controls are loosely organized into three groups
1-Physical Access Controls
2-Administrative Access Controls
3-Logical Access Controls

Question 6

Physical Access Controls

Answer 6

Controls that limit physical access to hardware
Perimeter Security–fences, walls, limited access rooms, cable protection
shielding from emanations, cabling media choice (fiber optic–NO emanations)
conduit or other physical protection (protect cable)
Separation of duties and work areas–minimize “shoulder surfing”
keep single person from completing a sensitive process

Question 7

Administrative Access Control

Answer 7

Set of rules/strategies
Policies and Procedures
Hiring Practices Policies
Security Awareness Training
Monitoring-validates processes

Question 8

Logical Access Control

Answer 8

Technical controls
Object access restrictions (only allow access by authorized users)
Encryption (only allow authorized users to read data)
Network architecture/sergregation (use architecture to keep network segments separate)

Question 9

Data Classification

Answer 9

Controls can be expensive
Only protect what must be protected
Data Classification (Identifies valuable data, satisfies legal or regulatory criteria, helps in choosing appropriate controls)

Question 10

Classification Criteria

Answer 10

Value or usefulness
Age
Laws and Regulations
Personal association

Question 11

Data Responsibility

Answer 11

1-Owner (member of middle/upper management and ultimate responsibility for data security)
2-Custodian (responsible for control implementation and maintenance)
3-User (Routinely uses data)

Question 12

Commercial Data (Integrity and Availability)

Answer 12

1-Public
2-Sensitive
3-Private
4-Confidential

Question 13

Government Data (Confidentiality)

Answer 13

1-Unclassified
2-Sensitive but Unclassified (SBU)
3-Confidential
4-Secret
5-Top Secret

Question 14

Access Control Techniques

Answer 14

1-Control Types
2-Control Categories
3-Security Labels
4-Discretionary
5-Mandatory
6-Nondiscretionary
7-Access Control Lists

Question 15

Access Control Types

Answer 15

Controls apply to threat events
Preventative (avoid event)
Detective (identify event)
Deterrent (discourage event)
Corrective (fix event)
Recovery (restore)

Question 16

Control Categories

Answer 16

Physical preventative control (badge/access card)
Technical preventative control (Database views, encryption, antivirus software)
Administrative detective control (policy, audit, logs)

Question 17

Security Labels

Answer 17

Assign classification levels to objects and subjects
Subject must be at or above clearance level of object
Use of label in table

Question 18

Discretionary

Answer 18

1-Discretionary Access Control (DAC) (identity-based access control, owner specifies who can have access to objects) this is most common access control in commercial arena

Question 19

Mandatory

Answer 19

2-Mandatory Access Control (MAC) (rule-based access control, subjects clearance compared to objects security level)

Question 20

Nondiscretionary

Answer 20

Role-based access control (access granted based on user’s job description)
Lattice-based access control (both the subject’s role and task to accomplish)
Common in envirionments with frequent personnel changes
Frequently uses access table

Question 21

Access Control Lists

Answer 21

Specific about which users can access which objects

can be based on users, roles, or groups

Question 22

Access Control Implementation

Answer 22

1-Centralized Authentication
2-RADIUS
3-TACACS
4-Decentralized
5-Hybrid Model

Question 23

Centralized Authentication

Answer 23

All access to objects controlled by a single entity
Ease of administration
Allows for strict access control
Can be slower with large number of users
Single point of failure (impact availability)

Question 24

RADIUS

Answer 24

Centralized Aunthentication Type (RADIUS)

Remote Authentication Dial-In User Service

Question 25

TACACS

Answer 25

Terminal Access Controller Access Control System
Authentication and Authorization for direct access
Only requires single-factor authentication (one piece of input)
TACACS+ Implements two-factor authentication (two pieces of input)

Question 26

Decentralized

Answer 26

Remote authentication
Access administration is handled closer to the objects being controlled
Requires more administration overhead
Security domain (sphere of influence, group of objects that a subject can access, defined by domains)

Question 27

Hybrid Model

Answer 27

Blend Centralized and Decentralized
Use Centralized authentication for high security resources, sensitive data, databases
Use Decentralized authentication for less sensitive data, local files, etc

Question 28

Identification and Authentication

Answer 28

1-Phases
2-Type 1 Authentication
3-Type 2 Authentication
4-Type 3 Authentication
5-Single Sign-on
6-Kerberos
7-Kerberos Process
8-SESAME

Question 29

Phases

Answer 29

Identification

Authentication

Question 30

Type 1 Authentication (what you know)

Answer 30

Passwords, PINs, Passphrases
Ensure strong passwords with policies
Password Length
Expiration Date
Good Passwords
Watch for Mistakes
Keep Passwords Secret
Don't Reuse
Don't Write it

Question 31

Type 2 Authentication (what you have)

Answer 31

Tokens, Tickets, One-time Password
Smart Card producing Time-based password
Synchronous / Asynchronous device
Used in two-factor authentication
more complex
user must possess token all of the time

Question 32

Type 3 Authentication (who you are)

Answer 32

Physical characteristics
Iris/Retinal Scan
Fingerprint/handprint
Voice pattern
Keystroke pattern
Signature
False Rejection Rate (FRR)
False Acceptance Rate (FAR)
Crossover Error Rate (CER)
Lower Crossover Error Rate is BEST

Question 33

Single Sign-on

Answer 33

SSO simplifies signon system
Once signed into system no need to signin to various systems
Kerberos, SESAME, KRYPROKNIGHT, NETSP

Question 34

Kerberos

Answer 34

Started as MIT’s project Athena
provides authentication and message protection
Uses symmetric key cryptography
Provides end-to-end security

Question 35

Kerberos

Answer 35

Key Distribution Center (KDC)
Holds all cryptographic keys
Ticket (geneterated by the KDC to authenticate a subject)
Authentication Service for subject and object

Question 36

Kerberos Process

Answer 36

Subject requests access to an object
KDC authenticates and generates a ticket
Subject validates ticket’s origin and sends it to object
File server authenticates the subject and grants access to object

Question 37

SESAME

Answer 37

Secure European System for Applications in a Multivendor Environment (SESAME)
Uses public key cryptography to distribute secret keys (public and private keys)
Privilege Attribute Certificate passes authentication (like Ticket)

Question 38

Attack and Monitor

Answer 38

Brute Force
Dictionary
Denial of Service
Spoofing
Man-in-the-Middle
Access Control Assurance
Monitoring
Intrusion Detection
Penetration Testing

Question 39

Brute Force

Answer 39

Attempts to gain access many times using different input

Password guessing and war dialing are examples

Question 40

Dictionary

Answer 40

More selective than a brute force attack

Submits identification credentials from a dictionary, or list of commonly user IDs

Question 41

Denial of Service

Answer 41

attacks availability area of Triad

Attacker saturates network, rendering access to the system impossible or slow

Question 42

Spoofing

Answer 42

Pretending to be someone else
Attacker presents a substitute login screen
Fake login screen stores the user ID and password, then displays a failed login message

Question 43

Man-in-the-Middle

Answer 43

Uses a network sniffer, or hardware/software that intercepts network packets, to grab traffic en route to another destination

Question 44

Access Control Assurance

Answer 44

The process of ensuring that the access controls are operating the way they were intended
Audit trail monitoring
Audit event types (network, system, application, user, keystroke)
Auditing issues and concerns (where store, enough storage room?, encripted?, who access it?)
Information Security Activities
Intrusion detection prevention (detects certain activity, raise alert, stop activity)
Penetration testing to try to break security
Other types of testing (access controls, applications, objects, full testing)

Question 45

Monitoring

Answer 45

Event Log Auditing (system, application, user events)
Know system and regular process
Keystroke monitoring
Honeypot

Question 46

Intrusion Detection

Answer 46

Intrusion Detection Systems (IDS)
Monitor systems or network
2 Types (Network-based and Host-based)
Looks for unusual activity
Signature-based and sounds alarms
Behavior-based looks for usage anomalies (must keep logs of activities) (sometimes called an expert system)  (typically more false positives than signature-based)

Question 47

Penetration

Answer 47

Legal Hacking
Try to get into network and systems
can uncover vulnerabilities
Some Pen Tests can be destructive (beware)