D1-Access Control
Preventive (3.2)
Preventive controls prevent actions from occurring. It applies restrictions to what a potential user, either authorized or unauthorized, can do. An example of an administrative preventive control is a preemployment drug screening. It is designed to prevent an organization from hiring an employee who is using illegal drugs.
False Accept Rate (4.4)
A false acceptance occurs when an unauthorized subject is accepted as valid. If an organization's biometric control is producing a lot of false rejections, the overall control might have to lower the accuracy of the system by lessening the amount of data it collects when authenticating subjects. When the data points are lowered, the organization risks an increase in the false acceptance rate. The organization risks an unauthorized user gaining access. This type of error is also called a Type II error. A false accept is worse than a false reject: most organizations would prefer to reject authentic subjects to accepting impostors. FARs (Type II errors) are worse than FRRs (Type I errors). Two is greater than one, which will help you remember that FAR is Type II, which are worse than Type I (FRRs).
False Reject Rate (4.4)
A false rejection occurs when an authorized subject is rejected by the biometric system as unauthorized. False rejections are also called a Type I error. False rejections cause frustration of the authorized users, reduction in work due to poor access conditions, and expenditure of resources to revalidate authorized users.
IBM describes the following identity lifecycle rules (2.7)
-"Password policy compliance checking -Notifying users to change their passwords before they expire -Identifying life cycle changes such as accounts that are inactive for more than 30 consecutive days -Identifying new accounts that have not been used for more than 10 days following their creation -Identifying accounts that are candidates for deletion because they have been suspended for more than 30 days -When a contract expires, identifying all accounts belonging to a business partner or contractor's employees and revoking their access rights"[1]
Penetration tests may include the following tests (6.1)
-Network (Internet) -Network (internal or DMZ) -War dialing -Wireless -Physical (attempt to gain entrance into a facility or room) -Wireless
six access control types (3.1)
-Preventive -Detective -Corrective -Recovery -Deterrent -Compensating
Kerberos has the following components (5.3)
-Principal: Client (user) or service -Realm: A logical Kerberos network -Ticket: Data that authenticates a principal's identity -Credentials: A ticket and a service key -KDC: Key Distribution Center, which authenticates principals -TGS: Ticket-Granting Service -TGT: Ticket-Granting Ticket -C/S: Client/Server, regarding communications between the two
Compensating (3.7)
A compensating control is an additional security control put in place to compensate for weaknesses in other controls.
Dictionary Attacks (4.2)
A dictionary attack uses a word list: a predefined list of words, and then runs each word through a hash algorithm. If the cracking software matches the output from the dictionary attack output to the password hash, the attacker will be able to identify the original password.
Hybrid Attacks (4.2)
A hybrid attack appends, prepends, or changes characters in words from a dictionary before hashing, to attempt the fastest crack of complex passwords. For example, an attacker may have a dictionary of potential system administrator passwords but also replaces each letter "o" with the number "0."
AUTHENTICATION METHODS (4)
A key concept for implementing any type of access control is controlling the proper authentication of subjects within the IT system. A subject first identifies himself or herself; this identification cannot be trusted. The subject then authenticates by providing an assurance that the claimed identity is valid. A credential set is the term used for the combination of both the identification and authentication of a user.
ASSESSING ACCESS CONTROL (6)
A number of processes exist to assess the effectiveness of access control. Tests with a narrower scope include penetration tests, vulnerability assessments, and security audits. A security assessment is a broader test that may include narrower tests, such as penetration tests, as subsections.
Penetration Testing (6.1)
A penetration tester is a white hat hacker who receives authorization to attempt to break into an organization's physical or electronic perimeter (and sometimes both). Penetration tests (called "pen tests" for short) are designed to determine whether black hat hackers could do the same. They are a narrow, but often useful, test, especially if the penetration tester is successful.
Rainbow Tables (4.2)
A rainbow table is a precomputed compilation of plaintexts and matching ciphertexts (typically passwords and their matching hashes). Rainbow tables greatly speed up many types of password cracking attacks, often taking minutes to crack where other methods (such as dictionary, hybrid, and brute-force password cracking attempts) may take much longer. Though rainbow tables act as a database, they are more complex under the hood, relying on a time/memory trade-off to represent and recover passwords and hashes. Most rainbows tables can crack most, but not all, possible hashes.
Retina Scan (4.4)
A retina scan is a laser scan of the capillaries that feed the retina of the back of the eye. This can seem personally intrusive because the light beam must directly enter the pupil, and the user usually needs to press their eye up to a laser scanner eyecup. The laser scan maps the blood vessels of the retina. Health information of the user can be gained through a retina scan: conditions such as pregnancy and diabetes can be determined, which may raise legitimate privacy issues. Because of the need for close proximity of the scanner in a retina scan, exchange of bodily fluids is possible when using retina scanning as a means of access control.
Rule-Based Access Controls (2.4)
A rule-based access control system uses a series of defined rules, restrictions, and filters for accessing objects within a system. The rules are in the form of "if/then" statements. An example of a rule-based access control device is a proxy firewall that allows users to surf the Web with predefined approved content only (If the user is authorized to surf the Web and the site is on the approved list, then allow access). Other sites are prohibited and this rule is enforced across all authenticated users.
Salts (4.2)
A salt allows one password to hash multiple ways. Some systems (like modern UNIX/Linux systems) combine a salt with a password before hashing: "The designers of the UNIX operating system improved on this method by using a random value called a 'salt.' A salt value ensures that the same password will encrypt differently when used by different users. This method offers the advantage that an attacker must encrypt the same word multiple times (once for each salt or user) in order to mount a successful password-guessing attack."[4] This makes rainbow tables far less effective (if not completely ineffective) for systems using salts. Instead of compiling one rainbow table for a system that does not use salts (such as Microsoft LAN Manager hashes), thousands, millions, billions, or more rainbow tables would be required for systems using salts, depending on the salt length.
Security Audits (6.3)
A security audit is a test against a published standard. Organizations may be audited for PCI-DSS (Payment Card Industry Data Security Standard) compliance, for example. PCI-DSS includes many required controls, such as firewalls, specific access control models, and wireless encryption. An auditor then verifies a site or organization meets the published standard.
Voiceprint (4.4)
A voiceprint measures the subject's tone of voice while stating a specific sentence or phrase. This type of access control is vulnerable to replay attacks (replaying a recorded voice), so other access controls must be implemented along with the voiceprint. One such control requires subjects to state random words, protecting against an attacker playing prerecorded specific phrases. Another issue is people's voices may substantially change due to illness, resulting in a false rejection.
zero-knowledge test (6.1)
A zero-knowledge test is "blind"; the penetration tester begins with no external or trusted information and begins the attack with public information only. A full-knowledge test provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers. Partial-knowledge tests are in between zero and full knowledge: the penetration tester receives some limited trusted information.
Confidentiality (1.1)
Confidentiality seeks to prevent the unauthorized disclosure of information: it keeps data secret. In other words, confidentiality seeks to prevent unauthorized read access to data. An example of a confidentiality attack would be the theft of Personally Identifiable Information (PII), such as credit card information.
User Entitlement, Access Review, and Audit (2.7)
Access aggregation occurs as individual users gain more access to more systems. This can happen intentionally, as a function of Single Sign-On (SSO). It can also happen unintentionally: users often gain new entitlements (also called access rights) as they take on new roles or duties. This can result in authorization creep: users gain more entitlements without shedding the old ones. The power of these entitlements can compound over time, defeating controls such as least privilege and separation of duties. User entitlements must be routinely reviewed and audited. Processes should be developed that reduce or eliminate old entitlements as new ones are granted
Access Control Lists (2.6)
Access control lists (ACLs) are used throughout many IT security policies, procedures, and technologies. An access control list is a list of objects; each entry describes the subjects that may access that object. Any access attempt by a subject to an object that does not have a matching entry on the ACL will be denied.
Accountability (1.2)
Accountability holds users accountable for their actions. This is typically accomplished by logging and analyzing audit data. Enforcing accountability helps keep "honest people honest." For some users, knowing that data is logged is not enough to provide accountability: they must know that the data is logged and audited and that sanctions may result from violation of policy.
Recovery (3.5)
After a security incident has occurred, recovery controls may need to be taken in order to restore functionality of the system and organization. Recovery means that the system must be recovered: reinstalled from OS media or image, data restored from backups, etc.
Iris Scan (4.4)
An iris scan is a passive biometric control. A camera takes a picture of the iris (the colored portion of the eye) and then compares photos within the authentication database. This also works through contact lenses and glasses. Each person's two irises are unique, even twins' irises. Benefits of iris scans include high-accuracy, passive scanning (which may be accomplished without the subject's knowledge), and no exchange of bodily fluids.
Asynchronous Dynamic Token (4.3)
Asynchronous dynamic tokens are not synchronized with a central server. The most common variety is challenge-response tokens. Challenge-response token authentication systems produce a challenge or input for the token device. Then the user manually enters the information into the device along with their PIN, and the device produces an output. This output is then sent to the system.
Authorization (1.2)
Authorization describes the actions you can perform on a system once you have identified and authenticated. Actions may include reading, writing, or executing files or programs.
Availability (1.1)
Availability ensures that information is available when needed. Systems need to be usable (available) for normal business use. An example of attack on availability would be a Denial-of-Service (DoS) attack, which seeks to deny service (or availability) of a system.
CORNERSTONE INFORMATION SECURITY CONCEPTS (1)
Before we can explain access control, we must define cornerstone information security concepts. These concepts provide the foundation upon which the 10 domains of the Common Body of Knowledge are built.
Access Control Protocols and Frameworks (2.8)
Both centralized and decentralized models may support remote users authenticating to local systems. A number of protocols and frameworks may be used to support this need, including RADIUS, Diameter, TACACS/TACACS +, PAP, and CHAP.
Brute-Force Attacks (4.2)
Brute-force attacks take more time but are more effective. The attacker calculates the hash outputs for every possible password. Just a few years ago, basic computer speed was still slow enough to make this a daunting task. However, with the advances in CPU speeds and parallel computing, the time required to brute-force complex passwords has been considerably reduced.
Centralized Access Control (2.5)
Centralized access control concentrates access control in one logical point for a system or organization. Instead of using local access control databases, systems authenticate via third-party authentication servers. Centralized access control can be used to provide Single Sign-On (SSO), where a subject may authenticate once, and then access multiple systems. Centralized access control can centrally provide the three "A's" of access control: Authentication, Authorization, and Accountability.
Confidentiality, Integrity, and Availability (1.1)
Confidentiality, Integrity, and Availability are the "CIA triad," the cornerstone concept of information security. The triad, shown in Figure 1.1, forms the three-legged stool information security is built upon. The order of the acronym may change (some prefer "AIC," perhaps to avoid association with a certain intelligence agency), but the concepts are essential. This book will use the "CIA" acronym.
Corrective (3.4)
Corrective controls work by "correcting" a damaged system or process. The corrective access control typically works hand in hand with detective access controls. Antivirus software has both components. First, the antivirus software runs a scan and uses its definition file to detect whether there is any software that matches its virus list. If it detects a virus, the corrective controls take over, place the suspicious software in quarantine, or delete it from the system.
Defense-in-Depth (1.6)
Defense-in-depth (also called layered defenses) applies multiple safeguards (also called controls: measures taken to reduce risk) to protect an asset. Any single security control may fail; by deploying multiple controls, you improve the confidentiality, integrity, and availability of your data.
Detective (3.3)
Detective controls are controls that alert during or after a successful attack. Intrusion detection systems alerting after a successful attack, closed-circuit television cameras (CCTV) that alert guards to an intruder, and a building alarm system that is triggered by an intruder are all examples of detective controls.
Deterrent (3.6)
Deterrent controls deter users from performing actions on a system. Examples include a "beware of dog" sign: a thief facing two buildings, one with guard dogs and one without, is more likely to attack the building without guard dogs. A large fine for speeding is a deterrent for drivers to not speed. A sanction policy that makes users understand that they will be fired if they are caught surfing illicit or illegal Web sites is a deterrent.
Diameter (2.8)
Diameter is RADIUS' successor, designed to provide an improved Authentication, Authorization, and Accounting (AAA) framework. RADIUS provides limited accountability and has problems with flexibility, scalability, reliability, and security. Diameter is more flexible, allowing support for mobile remote users, for example.
Discretionary Access Controls (2.1)
Discretionary Access Control (DAC) gives subjects full control of objects they have been given access to, including sharing the objects with other subjects. Subjects are empowered and control their data. Standard UNIX and Windows operating systems use DAC for file systems: subjects can grant other subjects access to their files, change their attributes, alter them, or delete them.
Dynamic Signature (4.4)
Dynamic signatures measure the process by which someone signs his or her name. This process is similar to keyboard dynamics, except that this method measures the handwriting of the subjects while they sign their name. Measuring time, pressure, loops in the signature, and beginning and ending points all help to ensure the user is authentic.
Biometric Enrollment and Throughput (4.4)
Enrollment describes the process of registering with a biometric system: creating an account for the first time. Users typically provide their username (identity), a password or PIN, and then provide biometric information, such as swiping fingerprints on a fingerprint reader or having a photograph taken of their irises. Enrollment is a one-time process that should take 2 minutes or less. Throughput describes the process of authenticating to a biometric system. This is also called the biometric system response time. A typical throughput is 6-10 seconds.
Facial Scan (4.4)
Facial scan technology has greatly improved over the past few years. Facial scanning (also called facial recognition) is the process of passively taking a picture of a subject's face and comparing that picture to a list stored in a database. Although not frequently used for biometric authentication control due to the high cost, law enforcement and security agencies use facial recognition and scanning technologies for biometric identification to improve security of high-valued, publicly accessible targets.
Federated Identity Management (5.2)
Federated Identity Management (FIdM) applies Single Sign-On at a much wider scale: ranging from cross organization to Internet scale. It is sometimes simply called Identity Management (IdM). FIdM may use OpenID or SAML (Security Association Markup Language). According to EDUCAUSE, "Identity management refers to the policies, processes, and technologies that establish user identities and enforce rules about access to digital resources. In a campus setting, many information systems—such as e-mail, learning management systems, library databases, and grid computing applications—require users to authenticate themselves (typically with a username and password). An authorization process then determines which systems an authenticated user is permitted to access. With an enterprise identity management system, rather than having separate credentials for each system, a user can employ a single digital identity to access all resources to which the user is entitled. Federated identity management permits extending this approach above the enterprise level, creating a trusted authority for digital identities across multiple organizations. In a federated system, participating institutions share identity attributes based on agreed-upon standards, facilitating authentication from other members of the federation and granting appropriate access to online resources. This approach streamlines access to digital assets while protecting restricted resources."[8]
Fingerprints (4.4)
Fingerprints are the most widely used biometric control available today. Smartcards can carry fingerprint information. Many U.S. Government office buildings rely on fingerprint authentication for physical access to the facility. Examples include smart keyboards, which require users to present a fingerprint to unlock the computer's screen saver. The data used for storing each person's fingerprint must be of a small enough size to be used for authentication. This data is a mathematical representation of fingerprint minutiae, specific details of fingerprint friction ridges, which include whorls, ridges, bifurcation, and others. Figure 1.3 shows minutiae types (from left) bifurcation, ridge ending, core, and delta.[6]
Identity and Authentication (1.2)
Identity is a claim: if your name is "Person X," you identify yourself by saying "I am Person X." Identity alone is weak because there is no proof. You can also identify yourself by saying "I am Person Y." Proving an identity claim is called authentication: you authenticate the identity claim, usually by supplying a piece of information or an object that only you posses, such as a password or your passport.
Hand Geometry (4.4)
In hand geometry biometric control, measurements are taken from specific points on the subject's hand: "The devices use a simple concept of measuring and recording the length, width, thickness, and surface area of an individual's hand while guided on a plate."[7] Hand geometry devices are fairly simple and can store information in as little as 9 bytes.
Password Hashes and Password Cracking (4.2)
In most cases, clear text passwords are not stored within an IT system; only the hashed outputs of those passwords are stored. Hashing is one-way encryption using an algorithm and no key. When a user attempts to log in, the password they type is hashed, and that hash is compared against the hash stored on the system. The hash function cannot be reversed: it is impossible to reverse the algorithm and produce a password from a hash. While hashes may not be reversed, an attacker may run the hash algorithm forward many times, selecting various possible passwords and comparing the output to a desired hash, hoping to find a match (and to derive the original password). This is called password cracking.
ACCESS CONTROL DEFENSIVE CATEGORIES AND TYPES (3)
In order to understand and appropriately implement access controls, understanding what benefits each control can add to security is vital. In this section, each type of access control will be defined on the basis of how it adds to the security of the system.
Integrity (1.1)
Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. There are two types of integrity: data integrity and system integrity. Data integrity seeks to protect information against unauthorized modification; system integrity seeks to protect a system, such as a Windows 2012 server operating system, from unauthorized modification.
Kerberos (5.3)
Kerberos is a third-party authentication service that may be used to support Single Sign-On. Kerberos (http://www.kerberos.org/) was the name of the three-headed dog that guarded the entrance to Hades (also called Cerberus) in Greek mythology. Kerberos uses symmetric encryption and provides mutual authentication of both clients and servers. It protects against network sniffing and replay attacks.
Keyboard Dynamics (4.4)
Keyboard dynamics refers to how hard a person presses each key and the rhythm by which the keys are pressed. Surprisingly, this type of access control is cheap to implement and can be effective. As people learn how to type and use a computer keyboard, they develop specific habits that are difficult to impersonate, although not impossible.
Least Privilege and Need to Know (1.4)
Least privilege means users should be granted the minimum amount of access (authorization) required to do their jobs, but no more. Least privilege is applied to groups of objects. Need to know is more granular than least privilege: the user must need to know that specific piece of information before accessing it.
Mandatory Access Controls (2.2)
Mandatory Access Control (MAC) is system-enforced access control based on subject's clearance and object's labels. Subjects and objects have clearances and labels, respectively, such as confidential, secret, and top secret. A subject may access an object only if the subject's clearance is equal to or greater than the object's label. Subjects cannot share objects with other subjects who lack the proper clearance or "write down" objects to a lower classification level (such as from top secret to secret). MAC systems are usually focused on preserving the confidentiality of data.
Network attacks (6.1)
Network attacks may leverage client-side attacks, server-side attacks, or Web application attacks. See Chapter 6, "Domain 6: Security Architecture and Design" for more information on these attacks. War dialing uses modem to dial a series of phone numbers, looking for an answering modem carrier tone (the penetration tester then attempts to access the answering system); the name derives from the 1983 movie WarGames.
Nonrepudiation (1.3)
Nonrepudiation means a user cannot deny (repudiate) having performed a transaction. It combines authentication and integrity: nonrepudiation authenticates the identity of a user who performs a transaction and ensures the integrity of that transaction. You must have both authentication and integrity to have nonrepudiation: proving you signed a contract to buy a car (authenticating your identity as the purchaser) is not useful if the car dealer can change the price from $20,000 to $40,000 (violate the integrity of the contract).
ACCESS CONTROL MODELS (2)
Now that we have reviewed the cornerstone access control concepts, we can discuss the different access control models: the primary models are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and nondiscretionary access control.
Access Provisioning Lifecycle (2.7)
Once the proper access control model has been chosen and deployed, the access provisioning lifecycle must be maintained and secured. While many organizations follow best practices for issuing access, many lack formal processes for ensuring the entire lifetime of access is kept secure as employees and contractors move within an organization.
Passwords (4.2)
Passwords have been the cornerstone for access control to IT systems. They are relatively easy and cheap to implement. Many online banking, stock portfolio services, private Web mail, and health-care systems still use a user name and password as the access control method. There are four types of passwords to consider when implementing access controls: static passwords, passphrases, one-time passwords, and dynamic passwords. Static passwords are reusable passwords that may or may not expire. They are typically user-generated and work best when combined with another authentication type, such as a smart card or biometric control. Passphrases are long static passwords, comprised of words in a phrase or sentence. An example of a passphrase is: "I will pass the CISSP® in 6 months!" Passphrases may be made stronger by using nonsense words (replacing CISSP® with "XYZZY" in the previous passphrase, for example), by mixing case, and by using additional numbers and symbols. One-time passwords may be used for a single authentication. They are very secure but difficult to manage. A one-time password is impossible to reuse and is valid for just one-time use. Dynamic passwords change at regular intervals. RSA security makes a synchronous token device called SecurID that generates a new token code every 60 seconds. The user combines their static PIN with the RSA dynamic token code to create one dynamic password that changes every time it is used. One drawback when using dynamic passwords is the expense of the tokens themselves.
Nondiscretionary Access Control (2.3)
Role-Based Access Control (RBAC) defines how information is accessed on a system based on the role of the subject. A role could be a nurse, a backup administrator, a help desk technician, etc. Subjects are grouped into roles and each defined role has access permissions based upon the role, not the individual. RBAC is a type of nondiscretionary access control because users do not have discretion regarding the groups of objects they are allowed to access and are unable to transfer objects to other subjects. Task-based access control is another nondiscretionary access control model, related to RBAC. Task-based access control is based on the tasks each subject must perform, such as writing prescriptions, restoring data from a backup tape, or opening a help desk ticket. It attempts to solve the same problem that RBAC solves, focusing on specific tasks, instead of roles.
SESAME (5.4)
SESAME is Secure European System for Applications in a multivendor environment, a single sign-on system that supports heterogeneous environments. SESAME can be thought of as a sequel of sorts to Kerberos, "SESAME adds to Kerberos: heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation."[9] Of those improvements, the addition of public key (asymmetric) encryption is the most compelling. It addresses one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys. SESAME uses Privilege Attribute Certificates (PACs) in place of Kerberos' tickets.
Security Assessments (6.4)
Security assessments are a holistic approach to assessing the effectiveness of access control. Instead of looking narrowly at penetration tests or vulnerability assessments, security assessments have a broader scope.
Single Sign-on (5.1)
Single Sign-On (SSO) allows multiple systems to use a central authentication server (AS). This allows users to authenticate once and then access multiple, different systems. It also allows security administrators to add, change, or revoke user privileges on one central system. The primary disadvantage to SSO is it may allow an attacker to gain access to multiple resources after compromising one authentication method, such as a password. SSO should always be used with multifactor authentication for this reason.
Social engineering (6.1)
Social engineering uses the human mind to bypass security controls. Social engineering may be used in combination with many types of attacks, especially client-side attacks or physical tests. An example of a social engineering attack combined with a client-side attack is e-mailing malware with a subject line of "Category 5 Hurricane is about to hit Florida!"
Someplace You are (4.5)
Someplace you are describes location-based access control using technologies such as the global positioning system (GPS), IP address-based geolocation, or the physical location for a point-of-sale purchase. These controls can deny access if the subject is in the incorrect location.
Synchronous Dynamic Token (4.3)
Synchronous dynamic tokens use time or counters to synchronize a displayed token code with the code expected by the authentication server: the codes are synchronized. Time-based synchronous dynamic tokens display dynamic token codes that change frequently, such as every 60 seconds. The dynamic code is only good during that window. The authentication server knows the serial number of each authorized token, the user it is associated with, and the time. It can predict the dynamic code on each token using these three pieces of information. Counter-based synchronous dynamic tokens use a simple counter: the authentication server expects token code 1, and the user's token displays the same token. Once used, the token displays the second token, and the server also expects token #2.
Disclosure, Alteration, and Destruction (1.1)
The CIA triad may also be described by its opposite: Disclosure, Alteration, and Destruction (DAD). Disclosure is the unauthorized disclosure of information; alteration is the unauthorized modification of data, and destruction is making systems unavailable. While the CIA acronym sometimes changes, the DAD acronym is shown in that order.
Crossover Error Rate (4.4)
The Crossover Error Rate (CER) describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal. CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system. As the sensitivity of a biometric system increases, FRRs will rise and FARs will drop. Conversely, as the sensitivity is lowered, FRRs will drop and FARs will rise. Figure 1.2 shows a graph depicting the FAR versus the FRR. The CER is the intersection of both lines of the graph as shown in Figure 1.2, based on the ISACA Biometric Auditing Guide, G36.[5]
PAP and CHAP (2.8)
The Password Authentication Protocol (PAP) is insecure: a user enters a password and it is sent across the network in clear text. When received by the PAP server, it is authenticated and validated. Sniffing the network may disclose the plaintext passwords. The Challenge-Handshake Authentication Protocol (CHAP) provides protection against playback attacks.[2] It uses a central location that challenges remote users. As stated in RFC 1994, "CHAP depends upon a 'secret' known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set may easily be used for mutual authentication."[3]
RADIUS (2.8)
The Remote Authentication Dial-In User Service (RADIUS) protocol is a third-party authentication system. RADIUS uses the User Datagram Protocol (UDP) ports 1812 (authentication) and 1813 (accounting). RADIUS is considered an "AAA" system, comprised of three components: authentication, authorization, and accounting. It authenticates a subject's credentials against an authentication database. It authorizes users by allowing specific users' access to specific data objects. It accounts for each data session by creating a log entry for each RADIUS connection made.
TACACS and TACACS+ (2.8)
The Terminal Access Controller Access Control System (TACACS) is a centralized access control system that requires users to send an ID and static (reusable) password for authentication. TACACS uses UDP port 49 (and may also use TCP). Reusable passwords have security vulnerability: the improved TACACS + provides better password protection by allowing two-factor strong authentication. TACACS + is not backward compatible with TACACS. TACACS + uses TCP port 49 for authentication with the TACACS + server.
Accuracy of Biometric Systems (4.4)
The accuracy of biometric systems should be considered before implementing a biometric control program. Three metrics are used to judge biometric accuracy: the False Reject Rate (FRR), the False Accept Rate (FAR), and the Crossover Error Rate (CER).
Identity and Authentication, Authorization, and Accountability (1.2)
The term "AAA" is often used, describing cornerstone concepts Authentication, Authorization, and Accountability. Left out of the AAA acronym is Identification, which is required before the three "A's" can follow.
Types of Biometric Controls (4.4)
There are a number of biometric controls used today. Below are the major implementations and their specific pros and cons with regard to access control security.
ACCESS CONTROL TECHNOLOGIES (5)
There are several technologies used for the implementation of access controls. As each technology is presented, it is important to identify what is unique about each technical solution.
three basic authentication methods (4.1)
Type 1 (something you know), Type 2 (something you have), and Type 3 (something you are). A fourth type of authentication is some place you are. Strong authentication (also called multifactor authentication) requires that the user present more than one authentication factor. For example, a user may possess an ATM card in order to withdraw money out of the bank, but he/she must also input the correct PIN.
Type 1 Authentication: Something You Know (4.2)
Type 1 authentication (something you know) requires testing the subject with some sort of challenge and response where the subject must respond with a knowledgeable answer. The subject is granted access on the basis of something they know, such as a password or PIN (Personal Identification Number, a number-based password). This is the easiest, and often weakest, form of authentication.
Type 2 Authentication: Something You Have (4.3)
Type 2 authentication (something you have) requires that users possess something, such as a token, which proves they are an authenticated user. A token is an object that helps prove an identity claim.
Type 3 Authentication: Something You are (4.4)
Type 3 authentication (something you are) is biometrics, which uses physical characteristics as a means of identification or authentication. Biometrics may be used to establish an identity or to authenticate (prove an identity claim). For example, an airport facial recognition system may be used to establish the identity of a known terrorist, and a fingerprint scanner may be used to authenticate the identity of a subject (who makes the identity claim and then swipes his or her finger to prove it).
Vulnerability Testing (6.2)
Vulnerability scanning (also called vulnerability testing) scans a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching.
subject (1.5)
an active entity on a data system. Most examples of subjects involve people accessing data files. However, running computer programs are subjects as well.
object (1.5)
any passive data within the system. Objects can range from databases to text files. The important thing to remember about objects is that they are passive within the system. They do not manipulate other objects.
Administrative (also called directive) controls (3.1)
implemented by creating and following organizational policy, procedure, or regulation. User training and awareness also fall into this category.
Technical controls (3.1)
implemented using software, hardware, or firmware that restricts logical access on an information technology system. Examples include firewalls, routers, and encryption.
Physical controls (3.1)
implemented with physical devices, such as locks, fences, gates, and security guards.