Access Control

Question 1

CIA

Answer 1

Confidentiality, Integrity, Availability

Question 1

Aceess controls protect against:

Answer 1

Threats such as unauthorized acess, inappropriate modification of data, and loss of confidentiality

Question 2

DAD

Answer 2

Opposing forces of CIA. Disclosure, Alteration, Destruction

Question 3

Confidentiality

Answer 3

Seeks to prevent unauthorized read access. Example is PII

Question 4

Integrity

Answer 4

Seeks to prevent unauthorized modification of information

Question 5

Two types of Integrity

Answer 5

Data Integrity & System Integrity

Question 6

Data Integrity

Answer 6

seeks to protect information against unauthorized modification

Question 7

System integrity

Answer 7

seeks to protect a system from unauthorized modification

Question 8

Availability

Answer 8

ensures that information is available when needed

Question 9

AAA

Answer 9

Authentication, Authorization, Accountability

Question 10

Identity

Answer 10

a claim of who you are (like a username)

Question 11

Authentication

Answer 11

proving an identity claim (like a password)

Question 12

Authorization

Answer 12

actions you perform on a system once you have identified and authenticated. May include, read, write, execute files/programs

Question 13

Accountability

Answer 13

holds users accountable tofr their actions. Typically done by logging and analyzing audit data

Question 14

Non-Repudiation

Answer 14

user cannot deny having performed a transaction. You must have authentication and integrity to have non-repudiation

Question 15

Least privilege

Answer 15

users should be granted the minimum amount of access (authorization) required to do their jobs

Question 16

Need to know

Answer 16

user must need to know that spcific piece of information before accessing it (user must have a business need to access data)

Question 17

Subject

Answer 17

an active entity on a system. Manipulate objects

Question 18

Object

Answer 18

Passive data on a system. Do not manipulate other objects

Question 19

Defense in Depth

Answer 19

applies multiple safeguards (called controls) to protect an asset

Question 20

Which Access control model is the best?

Answer 20

none, each model is used for a specific information security purpose

Question 21

What are the primary Access Control Models?

Answer 21

Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Non-Discretionary Access Control

Question 22

What is DAC?

Answer 22

Discretionary Access Control?gives subjects full control of objects they have been given access to, includeing sharing the objects with other subjects

Question 23

What is MAC?

Answer 23

Mandatory Access Control?primarily for Gov’t/Military?system-enforced access control based on subject clearance level and object labels

Question 24

Two types of non-discretionary access control

Answer 24

Role-based Access Control (RBAC) and Task-based access control

Question 25

What is RBAC?

Answer 25

Role-based Access Control: defines how info is access on a system based on the role of the subject.

Question 26

Three rules of RBAC?

Answer 26

1. Role Assignment 2. Role Authorization 3. Transaction Authorization

Question 27

Task-based access control

Answer 27

based on the tasks each subject must perform (focuses on specific tasks rather than roles)

Question 28

Content- and Context-dependent access controls

Answer 28

not full fledged access control methods in their own right, but are part of a defense in depth supporting role

Question 29

Centralized access control

Answer 29

concentrates access control in one logical point for a system or organization

Question 30

Decentralized access control

Answer 30

IT administration to occur closer to the mission and operations of the organization. Also called distributed access control

Question 31

Identity Lifecycle Rules

Answer 31

* password policy compliance checking * notifying users to change passwords before they expire * ID lifecycle changes such as inactive accounts * ID new accounts not used for 10 days * ID suspended accounts * Id all accounts belonging to expired contract

Question 32

Access aggregation

Answer 32

Individual users gain more access to a system over time as jobs change and permissions aren’t removed

Question 33

What is RADIUS

Answer 33

Remote Authentication Dial-In User Service: considered an AAA system

Question 34

What is Diameter

Answer 34

successor to RADIUS; provided an improved AAA framework

Question 35

What is TACACS and TACACS+

Answer 35

Terminal Access Controller Acces Control System: centralized access control system that requires users to send an ID and password for authentication

Question 36

PAP?

Answer 36

Password Authentication Protocol referred to not a strong authentication method. Sends password in clear text

Question 37

CHAP?

Answer 37

challenge handshake authentication protocol: provides protection against playback attacks; depends upon a secret known to authenticator and the peer

Question 38

3 concepts that affect access control?

Answer 38

1. least privilege 2. separation of duties 3. rotation of duties

Question 39

separation of duties

Answer 39

checks and balances

Question 40

rotation of duties

Answer 40

requires different staff members to perform the same duty

Question 41

Describe 3 security labels used by Gov’t

Answer 41

Top Secret: Exceptionally Grave Damage Secret: Serious Damage Confidential: Damage

Question 42

Clearance

Answer 42

determinate whether or not a use can be trusted with a specific level of information

Question 43

Rule-Based Access Control

Answer 43

think firewalls. Uses a series of defined rules, restrictions and filters for accessing objects

Question 44

ACL

Answer 44

Access Control List: list of objects and the subjects that may access that object

Question 45

6 Access Control Types

Answer 45

1. Preventative 2. Detective 3. Corrective 4. Recovery 5. Deterrent 6. Compensating

Question 46

3 Access Control Categories

Answer 46

1. Administrative 2. Technical 3. Physical

Question 47

Admiministrative Access Control

Answer 47

also called directive; think paperwork

Question 48

Technical Access Control

Answer 48

implemented using software, hardware, or firmware?think buy/install something

Question 49

Physical Access Control

Answer 49

implemented with physical devices like doors, locks, guards, dogs, etc

Question 50

Preventative Access Control

Answer 50

prevent actions from happening; assigning of privileges on a system

Question 51

Detective Access Control

Answer 51

controls that alert during or after a successful attack; CCTV, bldg alarm system

Question 52

Corrective Access Control

Answer 52

work by correcting a damaged system or process; think antivirus software and HIDS, NIDS, HIPS, NIPS

Question 53

Recovery Access Control

Answer 53

restores functionality of a system and organization

Question 54

Deterrent Access Control

Answer 54

deters users from performing an action; think warning banners and “Beware of Dog” signs

Question 55

Compensating Access Control

Answer 55

security control put in place to compensate for a weakness in other controls

Question 56

3 types of authentication methods

Answer 56

Type 1 - Something you know Type 2 - Something you have Type 3 - Something you are

Question 57

Describe 4 types of passwords

Answer 57

1. Static 2. Passphrases 3. One-Time Passwords 4. Dynamic passwords

Question 58

Strong Authentication

Answer 58

requires users to present more than 1 type of authentication factor

Question 59

Hashing

Answer 59

one-way algorithm used to verify the integrity of data; uses an algorithm and no key

Question 60

Dictionary Attack

Answer 60

uses words from a dictionary and runs words through hashing algorithm, then tries to match hash

Question 61

Brute-force attack

Answer 61

take more time, more effective; calculates the hash of every possible password

Question 62

Rainbow tables

Answer 62

database that contains the precomputed hashed output for more or all possible passwords

Question 63

Hybrid attack

Answer 63

appends, prepends, or changes characters in words from a dictionary attack before hashing

Question 64

Salt

Answer 64

allows 1 password to hash differnent ways by adding a salt before hashing

Question 65

Synchronous Dynamic Token

Answer 65

use time or counters to synchronize a displayed code with code expected by server

Question 66

Asynchronous Dynamic Token

Answer 66

not synchronized with central server; commonly challenge-response tokens

Question 67

Describe FRR, FAR, and CER

Answer 67

as False Reject goes down, False accept goes up. They cross as Crossover Error Rate

Question 68

Which biometric control has potential health issues

Answer 68

retina scan

Question 69

Someplace you are

Answer 69

potential use for GPS to allow/disallow service based on where the activity takes place. Think credit cards

Question 70

Single Sign on advantages

Answer 70

• improved user and developer productivity - simplified admin

Question 71

single sign on disadvantages

Answer 71

-difficult to retrofit - unattended desktops - single point of attack

Question 72

FIdM

Answer 72

Federated Identity Management; applies SSO at a much wider scale from cross-org to Internet

Question 73

Kerberos

Answer 73

thid party authentication service that may be used to support SSO; uses KDC, TGS, TGT, Principal, Realm, Ticket, Credentials, C/S

Question 74

Principal

Answer 74

client (user) or service in Kerberos

Question 75

Realm

Answer 75

logical Kerberos network

Question 76

Ticket

Answer 76

data that authenticates a principal’s identity in kerberos

Question 77

Credentials

Answer 77

a ticket and a service key in kerberos

Question 78

KDC

Answer 78

Key distribution center which authenticates principals–pivotal piece of kerberos

Question 79

TGS

Answer 79

Ticket granting service

Question 80

TGT

Answer 80

ticket granting Ticket, good for a site-selected specific lifetime; allows typical uer to authenticate once and access network resources for the lifetime of the ticket

Question 81

C/S

Answer 81

client/server in kerberos

Question 82

Kerberos strengths

Answer 82

provides mutual authentication of client server; mitigates replay attacks via use of timestamps

Question 83

kerberos weaknesses

Answer 83

stores keys of all principals, replay attacks still possible

Question 84

SESAME

Answer 84

Secure European Ssytem for Application in a Multivender Environment; SSO supporting heterogeneous environment; addes to kerberos; uses Privilege Attribute Certificates (PAC)

Question 85

Security Audit Logs

Answer 85

easiest way to verify access control methods are working. Primarily a detective control

Question 86

5 distinct problems of audit logs

Answer 86

1. logs not reviewed 2. logs/trails not stored long enough 3. logs not standardized or viewable 4. log entries/alerts not prioritized 5. logs reviewed only for “bad” stuff

Question 87

Types of attackers

Answer 87

hackers, black/white hats, script kiddies, outsiders, insiders, hacktivist, bots/botnets, phishers/spear phishers

Question 88

Zombie

Answer 88

aka bot (computer system running malware controlled via botnet)

Question 89

vishing

Answer 89

automated voice scripts over a VoIP network

Question 90

penetration testing

Answer 90

white hat hacker trying to see if a black hat hacker can get into the system

Question 91

types of penetration testing

Answer 91

zero-knowledge/black box, full-knowledge/crystal-box, partial-knowledge