Week 4: Overview of Security Concepts

Question 1

Access Control refers to

Answer 1

any hardware, software, or organizational/administrative policyor procedurethat

grants or restricts access

monitors and records attempts to access

identifies users attempting to access

Question 2

The transfer of information from an object to a subject is called

Answer 2

access

Question 3

subject

Answer 3

The subject(e.g. user) is the active element

Question 4

object

Answer 4

The object(e.g. database) is the passive element

Question 5

These three essential security principles are known as the

Answer 5

CIA Triad
Confidentiality
Integrity
Availability

Question 6

Confidentiality

Answer 6

Confidentiality ensures that only authorized subjects can access objects

Question 7

Integrity

Answer 7

Integrityensures that unauthorized or unwanted changes to objects are denied

Question 8

Availability

Answer 8

Availabilityensures that authorized requests for objects are granted as quickly as system and network parameters allow

Question 9

The term access control describes

Answer 9

The term access control describes a broad range of controls used to enforce these security principles (CIA)

Question 10

Access controls can be divided into the following seven categories of function or purpose

Answer 10

1. Preventive
2. Deterrent
3. Detective
4. Corrective
5. Recovery
6. Compensation
7. Directive

Question 11

preventive access control

Answer 11

stop unwanted or unauthorized activity from occurring
–
Examplesof preventive access controls include
•
fences and locks
•
separation of duties and job rotation
•
data classification

Question 12

deterrent access control

Answer 12

A deterrent access control is deployed to discourage violation of security policies

A deterrent implies certain consequences in the event of an attempted or successful violation

Examplesof deterrent access controls include
security guards & security cameras
trespass or intrusion alarms

Question 13

detective access control

Answer 13

A detective access control is deployed to discover unwanted or unauthorized activity

Often detective controls operate after the fact

Examplesof detective access controls include
security guards, guard dogs
motion detectors
review of recordings captured by security cameras
audit trails
honeypots or honeynets
intrusion detection systems
incident investigations

Question 14

corrective access control

Answer 14

A corrective access control is deployed to restore systems after an unwanted or unauthorized activity has occurred
–
Usually corrective controls have only minimal capability to respond to access violations

Examplesof corrective access controls include
antivirus solutions
terminating access

Question 15

recovery access control

Answer 15

A recovery access control is deployed to repair or restore functions and capabilities after a violation of security policies

Recovery controls have more advanced or complex capabilities to respond to access violations than corrective access controls

Examplesof recovery access controls include
backups and restores
fault-tolerant systems

Question 16

compensation access control

Answer 16

A compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of security policy
Examplesof compensation access controls include
personnel supervision, monitoring, and work task procedures

Can also include controls used instead of more desirable controls
For example, if a guard dog cannot be deployed due to proximity to residential areas, a motion detector with a spotlight and a barking sound playback device can be used

Question 17

directive access control

Answer 17

A directive access control is deployed to direct or control the actions of subjects to force or encourage compliance with security policies

Examplesof directive access controls include
security guards and posted notifications

Question 18

Types of Access Control Implementation

Answer 18

Administrative access controls
Logical/technical access controls
Physical access controls

Question 19

Administrative access controls

Answer 19

The proceduresdefined by an organization’s security policy to implement and enforce overall access control

Hiring practices, background checks, and security training
Data classification

Question 20

Logical/technical access controls

Answer 20

The hardware or software mechanisms used to manage access to resources and systems
Intrusion detection systems
Encryption, smart cards, passwords, and biometrics

Question 21

Physical access controls

Answer 21

The physical barriers deployed to prevent direct contact with systems or areas within a facility

Guards, fences and locks

Question 22

Several steps lead up to the ability to hold a person accountable for online actions

Answer 22

Identification
Authentication
Authorization
Auditing
Accountability / Monitoring

Question 23

Identification

Answer 23

Identificationis the process by which a subject professes an identity

A user provides a username, a logon ID, a personal identification number (PIN), or a smart card to represent an identification process

Providing a process ID number also represents an identification process

Once a subject has identified itself, the claimed identity becomes accountable for any further actions undertaken by that subject

IT systems track activity by identities, not by subjects themselves

Question 24

Authentication

Answer 24

Authenticationis the process of verifying that a claimed identity is valid

Requires that a subject provide additional information that must correspond exactly to the identity professed

Question 25

Three factors of authentication

Answer 25

Type 1. Something you know: any string of characters you have memorized and can reproduce on a keyboard when prompted
passwords, PINs, lock combinations, passphrases

Type 2. Something you have: a physical device that you possess and must have on your person at the time of authentication
smart cards, tokens, memory cards, physical location

Type 3: Something you are (biometrics): a physical characteristic of your person
fingerprints, iris patterns, hand geometry, writing a signature

Question 26

Strong authentication requires

Answer 26

two or more factors

When two of the same factors are used together, the system is no more secure than it would be if just one factor was used, as a single type of attack could compromise both instances

Question 27

Authorization

Answer 27

The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity

Question 28

access control matrix

Answer 28

For authorization: In most cases, the system evaluates an access control matrix that compares the subject, the object, and the intended activity

Question 29

Auditing

Answer 29

Auditingis the process by which online activities of user accounts and processes are tracked and recorded

Auditing produces audit trails, which can be used to reconstruct events and to verify whether a security policy was violated

Question 30

NIST Audit Documents

Answer 30

Minimum Security Requirements for Federal Information and Information Systems (FIPS 200)

Minimum Security Requirements for Multi-User Operating Systems (NIST IR 5153)

Question 31

Requirements for audit data recording

Answer 31

Create, retain, and protect audit recordsto the extent needed to enable the monitoring, investigation, and reporting of unlawful, or unauthorized activity

Ensure that the actions of individual information system users can be uniquely tracedto those users so they can be held accountable for their actions

Question 32

A subject must provide an ___ to a system to start the authentication process

Answer 32

identity

A subject’s identity is typically considered public information

Question 33

Authentication verifies the ____ of the subject by comparing one or more factors against a database of valid identities

Answer 33

identity

Authentication factors are typically considered private information

Question 34

Passwords

Answer 34

The most common, but weakest, authentication technique

Question 35

Password types

Answer 35

Static vs. dynamic

• Static passwords always remain the same
• Dynamic passwords change after a specified interval of time or use

One-time or single-use passwords
Passphrases
Cognitive passwords (security questions)

Question 36

One-time or single-use passwords

Answer 36

Dynamic passwords that change every time they are used

Question 37

Passphrases

Answer 37

Strings of characters usually much longer than a password

Question 38

Cognitive passwords (security questions)

Answer 38

Questions about facts that only a subject should know

Question 39

Password Security

Answer 39

Never allow clear text transmission

Use strong one-way storage (i.e. hashing)

Password audit your own systems
-Use password verification and password-cracking tools against your own password file and require that discovered passwords be changed

Disable inactive accounts, delete old ones

Train users
-Protects from social engineering attacks

Change passwords based on sensitivity of data

Define and enforce a password policy
-Example: Minimum length, three or four character types
-Protects from brute-force and dictionary attacks
22

Question 40

biometric factor

Answer 40

A biometric factor is a behavioral or physiological characteristic that is unique to a subject

Biometric factors can be used both as an identification and an authentication technique

Question 41

Tokens

Answer 41

Type 2 Factor

Tokens(or smart tokens) are password-generating devices that subjects must carry with them

Question 42

Static Tokens

Answer 42

swipe card, a smart card, or a USB RAM dongle

Question 43

Synchronous dynamic password tokens

Answer 43

Generate passwords at fixed time intervals. Require synchronizing the clock on an authentication server with the clock on the token device

Question 44

Asynchronous dynamic password tokens

Answer 44

Generate passwords based on occurrence of some event

Question 45

Challenge-response tokens

Answer 45

Generate passwords based on instructions (challenges) from the authentication system

Question 46

Single sign-on (SSO)

Answer 46

Single sign-on (SSO) is a mechanism that allows a subject to be authenticated only once on a system yet remain able to access multiple resources without repeated authentication prompts

Examplesof SSO mechanisms
Kerberos
SESAME
KryptoKnight
Directory services

Question 47

Kerberos

Answer 47

Relies on AES symmetric-key (private-key) cryptography

Provides end-to-end security for authentication traffic between clients and the key distribution center (KDC)

Relies on a trusted server hosting the functions of the KDC, a ticket-granting service (TGS), and an authentication service (AS)

An exchange of tickets (cryptographic messages) between clients, network servers, and the KDC

Question 48

Kerberos Login Process

Answer 48

1. The user types a username and password into the client
2. The client encrypts the credentials with AES for transmission to the KDC
3. The KDC verifies the user credentials
4. The KDC generates a ticket granting ticket (TGT) by hashing the user’s password
5. The TGT is encrypted with AES for transmission to the client
6. The client installs the TGT for use until it expires

Question 49

Kerberos Service Access Process

Answer 49

1.The client sends its TGT back to the KDC with a request for access to a server or service
2.The KDC verifies the validity of the TGT and verifies that the user has sufficient privileges to access the requested resource
3.A service ticket (ST) is generatedand sent to the client
4.The client sends the ST to the serveror service host
5.The server verifies the validityof the ST with the KDC
6.Once identity and authorization is verified, Kerberos activity is complete
–The server or service host then opens a session with
the client

Question 50

There are two primary categories of access control techniques

Answer 50

Discretionary Access Control (DAC)

Nondiscretionary Access Control
•Mandatory Access Control (MAC)
•Role Based Access Control (RBAC)
•Task Based Access Control (TBAC)

Question 51

Discretionary Access Controls

Answer 51

Allow the owner or creator of an object to control and define subject access to that object

Access control is based on the discretion (in other words, a decision) of the owner

Access is granted or denied based on the identity of the subject (which is typically the user account name)

Often implemented using access control lists (ACLs)
-Each ACL defines the types of access granted or restricted to individuals or grouped subjects

Question 52

Nondiscretionary Access Controls

Answer 52

Used in a rule-based system in which a set of rules, restrictions, or filters determines what can and cannot occur on the system

Access is not based on administrator or owner discretion and does not focus on user identity

Rule-based access control systems are more appropriate for environments that experience frequent changes to data permissions

Rule-based systems can implement sweeping changes just by changing centralized rules

Question 53

Nondiscretionary Access Control Types

Answer 53

–Mandatory Access Control (MAC)
–Role Based Access Control (RBAC)
–Task Based Access Control (TBAC)

Question 54

Mandatory Access Controls (MAC)

Answer 54

Rely upon the use of classification labels

Subjects are labeled by their level of clearance
Objects are labeled by their level of classification or sensitivity

Question 55

Classifications within a MAC environment are of three types:

Answer 55

Hierarchical environments relate various classification labels in an ordered structure. Clearance in one level grants the subject access to objects in that level as well as in lower levels

Compartmentalized environments require the subject to have specific clearance for each of its independent security domains

Hybrid environments combine hierarchical and compartmentalized concepts so that each hierarchical level may contain isolated subdivisions

Question 56

Systems that employ role-based (RBAC) or task-based (TBAC) access controls define a subject’s ability to access an object via

Answer 56

–subject roles (job descriptions)
–tasks(work functions).

Role-based access controls are useful in volatile environments with frequent personnel changes because access does not depend on subject identities

Question 57

Access control administration

Answer 57

Access control administrationis the set of tasks and duties assigned to an administratorto manage

Account Administration
–Creating, maintaining, and closing user accounts

Account, Log, and Journal Monitoring
–Monitoring online activities

Access Rights and Permissions
–Assigning access to objects
–Principle of least privilege

Question 58

user

Answer 58

A user is any subject who accesses objects on a system

Question 59

owner

Answer 59

An owner is the person who has final responsibility for classifying and protecting objects

Question 60

custodian

Answer 60

A custodian is a subject who has been assigned the day-to-day responsibility of properly storing and protecting objects

Question 61

Monitoring

Answer 61

Is a programmatic means by which subjects are held accountable for their actions while authenticated on a system

Is a process by which unauthorized or abnormal activities may be detected on a system

Can help reconstruct events, provide evidence for prosecution, and produce problem reports and analysis

Question 62

Intrusion Detection System (IDS)

Answer 62

An Intrusion Detection System (IDS)is a tool that automates the inspection of audit logs and real-time system events
–Primarily used to detect intrusion attempts
–Also used to detect system failures
–Watch for violations of confidentiality, integrity, and availability (CIA)

Question 63

The goal of an IDS is to

Answer 63

–provide perpetrator accountability for intrusion activities

–enable timely and accurate response to intrusions

Question 64

In general, IDSs can recognize

Answer 64

–attacks that come from external connections (such as the Internet)
–viruses and malicious code
–trusted internal subjects attempting to perform unauthorized activities
–unauthorized access attempts from trusted locations

Question 65

IDS Event Response

Answer 65

IDSs have only limited capability to stop or prevent attacks
-Typical responses include blocking ports, protocols, or source addresses

When an IDS discovers a violation, it records details of the issue and discards the malicious packets

An IDS shoud be considered one of many components that a defense-in-depthapproach employs to protect a network

Question 66

Host-Based IDS (HIDS)

Answer 66

Watches for suspicious activity on a single computer system

Can examine events in much greater detail than a network-based IDS

Question 67

Network-Based IDS (NIDS)

Answer 67

Watches for suspicious activity occurring on the network medium

A single NIDS can monitor a large network if installed on its backbone

NIDSs are installed onto dedicated single-purpose computers

Question 68

Knowledge-Based IDS

Answer 68

(or signature-based)

Uses a signature database

Attempts to match all monitored events to signatures in the database

If a match is found, the IDS assumes that an attack is taking place

Effective only against known attack methods

Question 69

Behavior-Based IDS

Answer 69

(or anomaly detection)

Learns about the normal activities on a system by watching and tracking events

Once it has accumulated enough data about normal activity, it can detect abnormal and possibly malicious activities or events

The primary drawback is that it produces many false alarms

Question 70

Honeypots

Answer 70

Honeypots attract intruders by presenting unpatched and unprotected security vulnerabilitiesas well as by hosting attractive but faux data

Question 71

Vulnerability scanners

Answer 71

Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses

A vulnerability scanner is only as useful as its database of security issues

Use of vulnerability scanners in cooperation with IDSs

Question 72

penetration

Answer 72

A penetrationoccurs when an attack is successfuland an intruder is able to breach the perimeter of a computer system

Question 73

Penetration testing

Answer 73

Penetration testing is one common method to test the strength of security measuresand discover all detectable weaknesses in the security perimeter

Penetration testing should be performed only with the consent and knowledge of management and security staff
–Performing unapproved security testing could
•cause productivity losses
•trigger emergency response teams
•potentially earn jail time

Question 74

Firewall and where it’s deployed

Answer 74

A firewall is a network device used to filter trafficand is deployed
–between a private network and a link to the Internet
–between departments within an organization

Question 75

Firewall filters

Answer 75

Firewalls filter traffic based on a set of rules, also called filtersor access control lists,distinguishing authorized traffic from unauthorized traffic

Question 76

Firewall types

Answer 76

Static packet filtering firewall
Application level gateway (proxy) firewall
Circuit level gateway (circuit proxy) firewall
Statefulinspection firewall

Question 77

Static packet filtering firewall

Answer 77

Filters traffic by examining a message header
Operate at Layer 3
Easily circumvented through spoofing

Question 78

Application level gateway (proxy) firewall

Answer 78

Filters traffic based on content and address
Each type of application must have its own proxy
Operates at Layer 7
Negatively affects network performance

Question 79

Circuit level gateway (circuit proxy) firewall

Answer 79

Used to establish communication sessions between trusted partners

Permits or denies forwarding decisions based solely on the endpoint designations of the communication circuit (source and destination addresses and service port numbers)

Operates at Layer 5

Question 80

Stateful inspection firewall

Answer 80

Filters based on content and context of traffic

Source and destination addresses, application usage, source of origin, and relationship between current packets and the previous packets

Operates at Layers 3 and 4

Question 81

Denial-of-service (DoS)

Answer 81

Denial-of-service (DoS)attacks prevent a system from processing or responding to legitimate traffic or requests

Question 82

There are several types of DoS flood attacks

Answer 82

A single attacking system flooding a victim with a steady stream of packets

Distributed Denial of Service (DDoS)
-DDoSattacks can be stopped by blocking packets from the compromised systems, but this can also result in blocking legitimate traffic because the sources of the flood packets are victims themselves

Distributed Reflective Denial of Service (DRDoS)

SYN-Flood

Smurf

Question 83

Distributed Reflective Denial of Service (DRDoS)

Answer 83

DRDoSattacks take advantage of the normal operation mechanisms of key Internet services, such as router update protocols (e.g., smurfattacks)

Numerous update/control packets are sent to various servers/routers with a spoofed source address for the intended victim, which will receive the response packets

Question 84

SYN-Flood

Answer 84

A SYN flood occurs when numerous SYN packets are sent to a server but the sender never replies to the server’s SYN/ACK with the final ACK

The server waits for the client’s ACK, holding open a session and consuming system resources

Question 85

Smurf Attack

Answer 85

Occurs when an amplifying server or networkis used to flood a victim with useless data

An amplifying server or network is any system that generates multiple response packets, such as Internet Control Message Protocol (ICMP) echo packets, from a single submitted packet

A common smurf attack method is to send a message to the broadcast address for a subnet or network with the victim’s spoofed address
–Every node on that network produces one or more response packets for the victim

If the amplification network can produce sufficient response packet volume, the victim will experience a DoS

Countermeasures for smurf attacks include disabling directed broadcasts on all network border routers

Question 86

Spoofing Attacks

Answer 86

Spoofing is the art of pretending to be something you’re not

Spoofing attacks consist of replacing a valid source and/or destination IP address with false ones

grants attackers the ability to hide their identities

Countermeasures:

• enabling source/destination verification on routers
• employing an IDS to detect and block attacks

Question 87

Man-in-the-Middle

Answer 87

A man-in-the-middle attack occurs when a malicious user is able to gain a position between the two endpoints of an ongoing communication

Question 88

sniffer attack(or snooping attack)

Answer 88

Attackers sniffing the traffic between two parties

Question 89

store-and-forward or proxy mechanism

Answer 89

Attackers positioning themselves in the line of communication where they act as a store-and-forward or proxy mechanism

To perform this type of attack, the attacker must alter routing information to impersonate a server from the perspective of the client and to impersonate the client from the perspective of the server

The attacker is invisible to both ends of the communication link

Question 90

Spamming Attacks

Answer 90

Spam is the term that describes unsolicited email, newsgroup, or discussion forum messages
–As innocuous as an advertisement
–As malignant as floods of unrequested messages with viruses or Trojan horses attached

Also considered a type of DoS