Access Controls
Recovery Controls
Restore lost computing resources or capabilities and help the organization to recover monetary losses caused by a security violation or incident.
Need To Know
Restricts users from accessing information or systems not required to perform their job.
Single Sign On Pros?
-Efficient Logon Process. -Encourages users to create stronger passwords. -Centralized administration
Preventative Controls
Block unwanted actions.
Information Security TRIAD
Confidentiality - Integrity - Availability
Mandatory Access Control (MAC)
-Not MAC Address- Defined by the orange book - Means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity.
Kerboros security guidelines include?
-Short authentication lifetimes -Use time stamps to minimize the threat of replayed credentials. -Key distribution center must be physically secured -Use redundant authentication servers. -KDC should be hardened not allowing any non-kerboros network activity
What are Kerboros's limitations?
-Symmetric keys between realms can cause scalability issue -Built on single factor authentication only. (Smart Card PKI is the expensive solution to this problem.)
What are the biometric selection criteria
1 - Accuracy 2 - Acceptability 3 - Reaction or Processing Time 4 - Population Coverage 5 - Data Protection
Asynchronous Token Device Process
1 - User initiated logon request 2 - Authentication server provides a challenge (a random number that is the input value) that can only be answered by the user's token. 3 - User enters the challenge and PIN in the token 4 - Token generates the response (password) to the challenge which appears in the tokens window 5 - User provides the password to the authentication server 6 - Access granted.
What are the benefits of an AAA server
1. Decreased time to administer because all authentication is maintained on a single host 2. Reduction in configuration errors because of the use of similar formats for different access devices 3. Reduced need for admin training. 4.Improved quality of speed of compliance auditing because all access requests are handled by one system. 5. Reduction in helpdesk calls 6. Authentication process is separated from the communication process, enabling the consolidation of user authentication data on a centralized database.
One Time Password
AKA Session Password or Dynamic Password. Password only used once.
Single Sign On (SSO)
A centralized authentication data base that administers access to multiple resources.
Network Information Services (NIS)
A peer-to-peer data base of network services that has since been supplanted by LDAP because of its lack of authentication and scalability.
Privacy Aware, Role Based Access Control
A privacy-aware role-based access control model extends RBAC to express highly complex privacy-related policies, including consideration of such features as conditions and obligations. (1-28)
Passphrase
A series of words selected and easily remembered by a user.
Security Assertion Markup Language (SAML)
AML provides an XML-based framework for exchanging security-related information over networks, and thus over the Internet. It defines XML structures for representing information pertaining to authentication and authorization so that these structures can be marshaled across system boundaries and can be understood by the recipient's security systems.
Accountability
Ability to track user activity on a system.
Rule Based Access Control
Access is based on a list of rules created or authorized by system owners that specify the privileges granted to users. Because the object owner write the rules, this is another example of DAC (discretionary access control).
Non-Discretionary Access Control
Access rules are closely managed by the security administrator. Offers stronger security than DAC because it does not rely only on users compliance.
What are the three types of access control?
Administrative, physical, and technical.
Spoofing/Masquerading
An active attack performed when one node on a network pretends to be another trusted node. Masquerading is an attempt to gain access by posing as an authorized user and thus enjoying the users access privileges.
Kerberos
An authentication protocol that uses symmetric key encryption in three key pairs. Two authentication pairs are shared by the authenticator and a single principal and one session pair is shared between principals so that the principals are required to trust the authenticator rather than each other.
Retina Scan
Analyzes the blood vessel pattern of the inside rear portion of the eye ball.
Directive Controls
Are those dictated by organizational and legal authority. Looking for problems.
Passive Attacks
Attacker gains access to your assets, but generally they are not trespassing (ex. eavesdropping).
Active Attacks
Attacker manipulates your assets, your people, or environment. Sometimes they are in an area they should not be in.
False rejection rate (FRR)
Authentication fails when it should not. Authorized person is denied access.
False Acceptance Rate (FAR)
Authentication is successful when it should not be. More serious of an issue.
Content Dependent Access Control
Based on the actually content of the data record. Requires the access control mechanism to look at the data in order to make access decisions.
Role Based Access Control (RBAC)
Bases access control authorization on the user's job functions. Determination of what roles have access to a file is at the owner's discretion.
Web Access Management (WAM)
Can administer user identify, authentication, and authorization concurrently for multiple web-based applications.
Subject Oriented Capability Table
Collection of access control lists implemented by a company. The column of the objects and the rows are subjects.
Object Based Access Control Matrix
Collection of access control lists implemented by a company. The column of the users or subjects with their right of access to protected objects.
Time Based Synchronization
Common token that generates a new dynamic password that is displayed in its window and is entered with the Users PIN at the workstation. Must be synced within 4 min of the authentication server.
RFID (Radio Frequency Identification)
Contactless technology for identification that uses transponders in the form of RF tags attached.
Discretionary Access Control (DAC)
Defined in the orange book (C1) - Means of restricting access to objects based on the identity of subjects and or groups to which they belong. Subjects with access permission are capable of passing that permissions on to any other subject. Can be used to identify need-to-know.
Secure European System Application in Multi-Vendor Environment (SESAME)
Developed by the European Union and is an improvement to Kerboros. It offers public key cryptography and role-based access control capabilities. Supports Single Sign On and uses both symmetric and asymmetric keys.
What are the seven main categories of access control?
Directive, deterrent, preventative, detective, corrective, compensating, and recovery.
Domain Name System (DNS)
Directory service for resolution of Fully Qualified Domain Names to IP addresses or revered.
Extensible Access Control Markup Language (XACML)
Enables the use of arbitrary attributes in policies, role based access controls, security labels, time/date policies, indexable policies, deny policies, and dynamic policies without requiring changes to the applications.
Who long should biometric enrollment/throughput take?
Enrollment >2 minutes, Throughput is typically 6-10 seconds
Active Directory (AD)
Functions include: provide information on objects, organize objects for easy retrieval and access, allow access, allow admin to setup security for the directory.
Static Password
Fixed or reusable password. Oldest and weakest method of authentication.
Farady Cage
Foil lined car holder used to protect contactless smart cards from contactless attacks.
Hierarchical Domain Relationship
Following the Bell-LaPadula model, subjects are allowed to access objects at or lower than their access level. Domains of a higher privilege are protected from domains of a lower privilege.
Tokens
Generate dynamic (one-time) passwords and come in asynchronous (challenge-response) or synchronous (time or event based) versions.
Kerboros Authentication Server does what?
Grants Ticket Granting Ticket (TGT) and session key and encrypts it using password as key.
Detective Controls
Identify, log, and alert management to unwanted actions or events as or after they occur.
What is a AAA Server?
Implements centralized authentication services. Examples: RADIUS TACACS+ DIAMETER
Technical Controls
Involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems. As the name implies, it uses technology. Examples include authentication methods (such as usernames, passwords, smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels. Also called logical
Dictionary Attack
Is used when the password to be cracked is believed to be based on a word that can be found in a list of common words.
Authentication Methods?
Knowledge - Something you Know (Type I) Ownership - Something you have (Type II) Characteristics - Something you are (Type III)
Rainbow Tables
Lookup tables containing pre-hashed passwords used to speed up password cracking. Cracking time can be reduced by the square of the available memory.
Memory Cards
Magnetic strip cards that provide identification/authentication applications.
Behavioral Biometrics
Measures dynamic characteristics such as voice inflections, keyboard strokes, signature motions, etc.
Physiological Biometrics
Measures features such as fingerprints, iris granularity, blood vessels on the retina, facial measurements, hand geometry, etc.
X.400
Messaging (notably email) standard specified by the ITU-T (international Telecommunications Union - Telecommunications Standardization Sector). Alternative to SMTP.
Access Control Lists (ACLS)
Most common implementation of DAC (discretionary access control) Provides an easy method for specifying which users, or subjects are allowed to access which file. (1-29)
Sniffers
Packet sniffers are program that read all traffic on a network and look for keywords,phrases, login IDs, and passwords, etc. in cleartext.
Centralized Access Control
One entity makes network access decisions.
OASIS
Organization for the Advancement of Structured Information Standards - Put forth markup languages such as SPML, SAML, and XACML
Administrative Controls
Policies and procedures defined by an organization's security policy and other regulations or requirements. They are sometimes referred to as management controls. These controls focus on personnel and business practices. Examples of administrative access controls include policies, procedures, hiring practices, background checks, data classifications and labeling, security awareness and training efforts, vacation history, reports and reviews, work supervision, personnel controls, and testing.
Deterrent Controls
Prescribe some sort of punishment, ranging from embarrassment to job termination or jail time.
Service Provisioning Markup Language (SPML)
Provides an XML-based framework for managing the allocation of system resources within and between organizations. It defines the provisioning of digital services such as user accounts and access privileges on systems, networks and applications as well as non-digital or physical resources such as cell phones and credit cards.
Kerboros Ticket Granting Server (TGS)
Provides continuous means of obtaining additional tickets for the same or other applications after the initial authentication by the authentication server.
Time of Check (TOC) vs Time of Use (TOU)
Race condition that takes advantage of changes in the state of the security of an object. If the users permissions were removed subsequent to their login, they may well be able to continue using the system even though their rights were removed. This is an asynchronous attack based on the difference between when the access control system was checked and when a user used the controlled system.
Iris Scan
Records unique patterns in the colored portion of the eye.
Compensating Controls
Reinforce or replace normal controls that are unavailable for any reason.
Corrective Controls
Remedy the circumstances that enabled the unwanted activity, and/or return conditions to where they were prior to the unwanted activity.
What are the Information Classification Procedures?
Scope - Perform a business impact analysis to evaluate all the data handled and determine its value with respect to sensitivity and criticality. Process - Based on the impact analysis, determine how many levels of classifications are necessary, determine the appropriate policies and procedures for classification. Marking and Labeling - All media containing sensitive and critical info must be marked in accordance with classification policy and procedures. Assurance - Regular internal/external audits should review information classification choices and adherence levels. (1-5)
Privilege Attribute Certificate (PAC)
Secure European System for Application in s Multi-Vendor Environment (SESAME) receives the privilege Attribute Certificate (PAC) from the Privilege Attribute Server (PAS). Replaces the TGT/TGS process of Keboros.
Emanations
Signals from devices that may be intercepted. Controls include shielding and grounding.
Single Sign On Cons
Single point of compromise Legacy invulnerability Implementation Difficulties
Authorization
Specifies what a user is permitted to do after being successfully identified and authenticated by the system.
X.500
Standard way to develop an electronic directory of people in an organization so that it can be part of a global directory available to anyone in the world.
Brute Force Attack
The use of massive resourced rather than strategy or tactics. A DOS or an attack that tries all possible cryptographic keys are examples. Tries every possible combination.
Context Dependent Access Control
The access decisions are based on the context of a collection of information rather than on the sensitivity of the data.
Denial of Services
The act of reducing the availability of a system or its components below the level needed to support processing or communication, or any action or actions that prevent any part of a system from functioning as it is intended to.
Crossover Error Rate (CER)
The point at which the False Rejection Rate and False Acceptance Rate intersect .
Least Prvilege
The principle that people or processes should only be allowed access to the resources they absolutely need to accomplish their assigned work and only for as long as necessary to complete that work.
Information Classification
The proper assessment of the sensitivity and criticality of a given piece of information. When executed well it ensures that information is neither improperly disclosed or overprotected.
Security Domains
The set of objects that a subject in an information system is allowed to access.
Labels
The system compares the subject and object labels in accordance with the specifications from setup in order to make its decision as to whether to allow access. Because not all people with privilege or clearance level for sensitive material need access to all sensitive information, the owner provides the need-to-know element.
Physical Controls
These controls include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. Examples of physical access controls include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms. Something you can touch.
Temporal Isolation
Time based access control; provides a physical method of exercising a pseudo-MAC by labeling the classification, or sensitivity level, of an object and then setting up the system so as to process a particular sensitivity level on during specific time ranges.
Salt
To help protect passwords against rainbow table cracking, a salt or random value is added to the end of the password.
Smart Cards
Tokens that contain one or more microprocessor chips that accept, store and send information through a reader and are used for authentication. Authentication process occurs at the reading avoiding the trusted path (protecting logon info between the user and authentication server) problem.
Single factor authentication
Use of one authentication method.
Two factor authentication
Use of two authentication methods.
Use of MAC and IP addresses for identification.
Used individually or together in order to identify a system on a network. Physical/logical addresses provide a first level identification and the user then provides another means of authentication to gain access. Physical/logical address can be used as a form of authentication, but it is not a good security practice because they can be spoofed.
Constrained User Interface
Users are only allowed access to specific functions, files, or other resources and are prevented from requesting access to unauthorized resources.
Authentication
Verification, validation, or proof of the professed identification of a person or node.
Swiping Attack
When a point of sale (POS) terminal or ATM is modified to capture PINs as well as recording the card details.
Key Distribution Center
Works as both the Kerboros authentication server and Ticket Granting Server.
Event Based Syncrhonization
can be implemented in proximity devices that enter the password automatically with the PIN. This is often used for continuous authentication where the user is only permitted access while within a defined range of the system.
Lightweight Directory Access Protocol (LDAP)
is a network connected directory of organization resources. Used to communicate with systems like AD.
Identification
the process, generally employing unique, machine-reasable names, that enables recognition of uers or resources as valid accounts that were set up on the computer system.
Graphical password
uses a sequence of images or a sequence of points on an image rather than a string of characters.