Access Control Flashcards Preview

CISSP > Access Control > Flashcards

Flashcards in Access Control Deck (45)
Loading flashcards...
1
Q

CIA

A

CIA- Confidentiality, Integrity, Availability

2
Q

DAD

A

DAD (disclosure, alteration, destruction) opposes CIA

3
Q

IAAA

A

IAAA –

  • Identity,
  • Authentication (proving an id claim),
  • Authorization (actions you can perform),
  • Accountability (or Auditing)
4
Q

Non-repudiation

A

Non-repudiation- user can’t deny performing a transaction

5
Q

Least Privilege

A

Least Privilege- minimum amount of access to do job (this is an ideal or target)

6
Q

Need to Know

A

Need to Know- more granular than Least Privilege (object level). E.g. have a secret clearance, and cleared for a program.

7
Q

Subject

A

Subject- active entity on a system (user, running program)

8
Q

Object

A

Object- passive data on system (file)

9
Q

Defense in Depth

A

Defense in Depth- (Layered Defense) multiple safeguards in layers (or controls); e.g., you had to get to a workspace, authn to workstation, the network, then the application

10
Q

Access Control Models (3 main models)

A

Access Control Models (3 main models)

  • DAC
  • MAC
  • RBAC
11
Q

DAC

A

DAC (Discretionary Access Control)- gives data owners full control of objects; access given via ACL based on Id (rather than roles as in RBAC)

12
Q

MAC

A

MAC (Mandatory Access Control)- based on subject clearance + object labels

  • Data owners cannot grant access!
  • OS makes the decision based on a security label system
  • Subject’s label must dominate the object’s label (greater than or equal to)
  • Users and Data are given a clearance level (confidential, secret, top secret etc)*
  • Rules for access are configured by the security officer and enforced by the OS.
  • focus on confidentiality; difficult & expensive so it’s used for secure programs

Examples: SELinux, Trusted Solaris, Honeywell’s SCOMP, Purple Penelope, LIDS (Linux Intrusion Detection System)

13
Q

RBAC

A

RBAC (Role-Based Access Control) (some consider a form of MAC):

  • Also called non-discretionary
  • Scales better than DAC and helps deter authZ creep
  • Role Assignment- users are assigned an active role
  • Role Authorization- users only have roles they are authZ for
  • Transaction Authorization- only execute authz transactions
14
Q

Other Access Control Technologies

A

Access Control Technologies

  • Task-based Access Control
  • Content Dependent Access Control
  • Context (e.g. time) Dependent Access Control
  • Rule-based Access Control
  • Access Control Matrix
  • Constrained User Interface
  • Restrict user access by not allowing them see certain data or have certain functionality (based on the Clark Wilson model of ‘keep users out of your system’)
15
Q

IBM Access provisioning lifecycle rules

A

IBM Access provisioning lifecycle rules

  1. Password compliance checking
  2. Notifying users to change password before expiration
  3. Identifying accounts that should be suspended due to inactivity for more than 30 day
  4. Identifying unused new accounts
  5. Identifying accounts for deletion due to being suspended more than 30 days
  6. Revoking accounts when a contract expires or user leaves
16
Q

Access Aggregation

A

Access Aggregation- users gain access to more systems over time

17
Q

Authorization Creep

A

Authorization Creep- users gain more entitlements without shedding the old ones

18
Q

RADIUS

A

RADIUS- Remote AuthN Dial-In User Service; most often used

  • Centralized
  • UDP (User Datagram Protocol)
  • Provides limited accountability
  • Problems with flexibility, scalability, reliability, and security
  • Encrypts only password
  • Uses PAP, CHAP, or EAP

Request and response carried in AVP (attribute-value pairs) (8 bits):

  • Access-Request
  • Access-Accept
  • Access-Reject
  • Accounting-Request
  • Accounting-Response
  • Access-Challenge
  • Status-Server
  • Status-Client
19
Q

Diameter

A

Diameter- successor & improver on RADIUS

o Centralized

o Is currently draft standard

o Uses 32 bit AVP

o Support for mobile

o Single server to manage policies

o Uses TCP (Transmission Control Protocol)

20
Q

TACACS

A

TACACS (Terminal Access Controller Access Control System)

o Similar function to RADIUS

o UDP (can also use TCP)

o Centralized

o Authn using Id and static (reusable) password >> vulnerability

21
Q

TACACS+

A

TACACS+

o TCP

o Centralized

o Multifactor AuthN

o Not backward compatible to TACACS

o Encrypts all data (uname & password) below the header

22
Q

PAP

A

PAP (Password Authentication Protocol) o Password sent in clear text

23
Q

CHAP

A

CHAP (Challenge Handshake Authentication Protocol) o Protection against playback attack o Uses secret (not sent over the link) known to authenticator and peer for authN o Possible for mutual authN o has stored passwords in clear-text Three-way authN process: 1) server sends challenge (nance); 2) client sends hashed challenge and password to server; 3) server compares hash against expected results

24
Q

Separation of duties

A

Separation of duties- have more than one user perform sensitive transactions

25
Q

Rotation of duties

A

Rotation of duties- helps mitigate collusion; review work of peers

26
Q

NSI Labels (objects)

A

NSI Labels (objects)

o Top Secret- exceptional grave damage to national security

o Secret- serious damage

o Confidential- damage

27
Q

Additional object labels

A

Additional object labels:

o Sensitive but unclassified (SBU)

o For Official Use Only (FOUO)

o Sensitive Compartmented Information (SCI)

28
Q

Access Control Defensive Types

A

Access Control Defensive Types

o Preventative- prevent actions from occurring, e.g., pre-employment drug screening

o Detective- alert during or after successful attack, e.g., alarm

o Corrective- typically works with detective to correct damage, e.g., anti-virus scan & quarantine

o Recovery- restore system/org functionality, e.g., reload of software or data

o Deterrent- deter users from performing actions, e.g. security sign

o Compensating- addition control to compensate for weakness

29
Q

Authentication Methods

A

o Type 1- Something you know

o Type 2- Something you have

o Type 3- Something you are- biometric

30
Q

Type 1 authN

A

Type 1- Something you know

o Static passwords- reusable

o Passphrases- words in a phrase

o One-time Password (OTP)- secure but difficult to manage

o Dynamic passwords- change at regular intervals

31
Q

Type 2 authN

A

Type 2- Something you have

o Synchronous dynamic tokens- time or counters to synch a displayed token

o Asynchronous dynamic token- (challenge response tokens), challenge for user to enter info and their pin >> output of device is sent to system, e.g. smartcard

32
Q

Type 3 authN

A

Type 3- Something you are- biometric

o Template or file size should be 1K or less

o Should not cause psychological stress

o Must be used by all staff or have compensating controls

o Possible to exchange bodily fluids

33
Q

Bio Enrollment

A

Enrollment- user registering: provides name, PIN/password, and bio info

34
Q

Bio Throughput

A

Throughput- authN using bio, typically 6-10 seconds

35
Q

FRR

A

False Reject Rate (FRR)- type 1 error, authorized subject rejected

36
Q

FAR

A

False Accept Rate (FAR)- type 2 error, unauthorized accepted

37
Q

CER

A

Crossover Error Rate (CER) or Equal Error Rate (EER)- where FRR = FAR, describes overall accuracy (higher is better)

38
Q

Fingerprints

A

Fingerprints- 40 data points usually scanned; most widely used;

main minutiae types:

39
Q

Retina scan

A

Retina scan- laser scan of capillaries; rarely used due health and privacy issues

40
Q

Iris scan

A

Iris scan- picture of iris; high accuracy, passive

41
Q

Password management (adopted by DoD and MS community)

A

Password management (adopted by DoD and MS community)

o history = 24

o Maximum age = 90days

o Minimum age = 2 days

o Minimum length = 8char

o Complexity requirements

o No reversible encryption (hashing)

42
Q

Kerberos

A

Kerberos- three headed dog (AAA) guarding Hades

o Used in Windows2000+ and some Unix

o Key distribution model, does not transmit passwords

o Uses DES and AES for encryption

o Symmetric encryption >> protects against sniffing and replay attacks (via timestamps)

o Principles include the User and Network Services

o KDC- Key Distribution Center which authN principles and sends a Session Key and TGT Key (Ticket Granting Ticket)

o TGS (Ticket Granting Server)- receives TGT and Session Key from principal and issues C/S (client/server) Key & Service Key (for server) to principal

o Realms – a grouping of principals that a KDC provides service for, looks like a domain name

o Server receives Session Key and Service Key

o KDC and TGS can go down and TGT will still be valid

Weaknesses:

  1. KDC stores all principals keys;
  2. KDC & TGS are single point of failure;
  3. can steal locally cached credentials;
  4. plaintext storage of symmetric keys
43
Q

SESAME

A

SESAME (Secure European System for Applications in a Multivendor Environment)

o SSO that Adds to Kerberos using PKI

o Uses PACS (Privileged Attribute Certificates) rather than tickets, PACS are digitally signed and contain the subjects identity, access capabilities for the object, access time period and lifetime of the PAC.

o PACS come from the Privileged Attribute Server (PAS)

o supports heterogeneous environments

o scalability of public key encryption (asymmetric key); symmetric keys not stored in plaintext

o more sophisticated access control

o better manageability, audit, and delegation

44
Q

KryptoKnight

A

KryptoKnight- older obsolete SSO Technology

45
Q

Security Audit Logs

A

Security Audit Logs- NIST directs to collect the following logs

  • Network security SW/HW (antivirus, remote access, firewall, authn)
  • Operating System (sys events, audit records)
  • Application (request, response, operational actions)

Five mistakes:

  1. Not reviewed regularly or timely
  2. Not stored long enough
  3. Not standardized or viewable by toolsets
  4. Not prioritized
  5. Only reviewed for the bad stuff