Information Security and Assurance - C725 - Chapter 10 Access Control Systems and Methodology
A table includes multiple objects and subjects and it identifies the specific access each subject has to different objects. What is this table?
Access control matrix An access control matrix includes multiple objects, and it lists subjects' access to each of the objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign-on. Creeping privileges refers to the excessive privileges a subject gathers over time.
What is Access Control?
Access controls are a collection of mechanisms that work together to create a security architecture that protects the assets of an information system.
Which of the following best describes an implicit deny principle?
All actions that are not expressly allowed are denied.
Question : What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?
An access control list An access control list is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Within the file is a user ID and an associated privilege or set of privileges for that user and that resource.
Discretionary Access Control
An access control list (ACL) is simply a list or a file of users who are given the privilege of access to a system or a resource (such as a database). Within the file is a user ID and an associated privilege or set of privileges for that user and that resource. The privileges are typically Read, Write, Update, Execute, Delete, and Rename
Token
An example of two-factor authentication is a password token, a mechanism that generates changing passwords every minute or so. These devices are protected by a password so that when they're in use, a user is challenged to provide the one-time-password (OTP) displayed on the device at that moment in time as the "dynamic" password plus the password only the user knows (a static password to prove that the device holder is the authorized user of the device). The mechanism behind these devices employs secret key cryptography (discussed in Lesson 11, "Cryptography") that encrypts and decrypts a unique time stamp each time the device is used. You learn more about these devices in the section "Remote User Access and Authentication."
Question : Which of the following terms best describes the verification that the user's claimed identity is valid?
Authentication
Authentication Credentials
Authentication credentials permit the system to verify someone's identification credential. Authenticating yourself to a system involves giving it the information you have established to prove that you are who you say you are. Your photo authenticates your identity. Another common authentication of your identity is your signature. If your signature matches the signature on your credential, the recipient can be reasonably assured that you are who your ID claims you are.
Biometrics
Biometric methods of identification work by measuring unique human characteristics as a way to confirm identity.
Which terms best describes the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources?
Biometrics
Not to use in a password:
Common names, date of birth, spouse's name, phone number, pet name, and so forth Words found in dictionaries Password as a password System default passwords (administrator, field-support, and so forth).
US Gov classification labels
Confidential: Unauthorized disclosure of information may damage national security. Secret: Unauthorized disclosure of information may seriously damage national security. Top Secret: Unauthorized disclosure of information may cause exceptionally grave damage to national security.
Which of the following statements is true?
Controlling access to information systems and associated networks is necessary for the preservation of their confidentiality, integrity, and accountability.
Which of the following models is also known as an identity-based access control model?
DAC A Discretionary Access Control (DAC) model is an identity-based access control model. It allows the owner (or data custodian) of a resource to grant permissions at the discretion of the owner. The Role Based Access Control (RBAC) model is based on role or group membership. The rule-based access control model is based on rules within an ACL. The Mandatory Access Control (MAC) model uses assigned labels to identify access.
What is the intent of least privilege?
Enforce the most restrictive rights required by users to complete assigned tasks.
What are common biometrics techniques
Fingerprint recognition Signature dynamics Iris scanning Retina scanning Voice prints Face recognition
The most common biometric in use is fingerprint recognition. Consider some advantages of fingerprints:
Fingerprints can't be lent out like a physical key or token and can't be forgotten like a password. Fingerprints are a good compromise in ease of use, cost, and accuracy. Fingerprints contain enough inherent variability to enable unique identification even in very large databases (think millions of records). Fingerprints last virtually forever—or at least until some extraordinary circumstance prevents their use (amputation, dismemberment, and so forth). Fingerprints make network login and authentication effortless.
For Official Use Only
For Official Use Only" is not a security classification. It is used to protect information covered under the Privacy Act and other sensitive data.
Good Password Practices:
Good passwords are easy to remember and hard to crack using computerized password-cracking tools. The best way to create passwords that fulfill both criteria is to use two or more small and unrelated words or phonemes, ideally with a special character or number. Good examples include pa55w0rd and !l0g*me*1n.
The following are practical applications for biometric identification/authentication:
Handling network access control Tracking staff time and attendance Authorizing financial transactions Distributing government benefits (Social Security, public assistance, and so forth) Verifying identities at point of sale Working in conjunction with ATM cards, credit cards, or smart cards Controlling physical access to office buildings or homes Protecting personal property Preventing kidnapping in schools, play areas, and other locations Protecting children from fatal gun accidents Controlling voting, passports, visas, and immigration
Which of the following statements is true?
Identification establishes user accountability for the actions on the system.
Three-Factor Authentication (something you have plus something you know plus something you are (SYH/SYK/SYA))
In a three-factor system, unique information related to the user is added to the two-factor authentication process. This unique information might be a biometric (fingerprint, retinal scan, and so forth) needed for authentication. These systems are common for physical access to secured areas and can be replicated for computer or logical access. The three-factor mechanism is described as something you have plus something you know plus something you are (SYH/SYK/SYA). For example, a person trying to access a data center door might be required to swipe a card (a badge), enter a PIN on a keypad to prove that she's the owner of the badge, and offer a fingerprint or iris or retinal scan to prove that she is the person assigned the badge and PIN.
Single Sign-On
In an SSO system, users have one password for all corporate and back-office systems and applications that they need to perform their jobs. That way, they can remember and use one consistent password, thus increasing the security of the overall system of access controls. Although this goal sounds reasonable, it's actually quite difficult to implement.
Which of the following best describes a rule-based access control model?
It uses global rules applied to all users equally. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally, or to individual users.
Multifactor Authentication
It's possible to add more sophistication to authenticating users than using passwords alone. With two or three factors (multifactor authentication) to authenticate, an information owner can gain confidence that users who access their systems are indeed authorized to access those systems. This is accomplished by adding more controls or devices to the password authentication process.
Kerberos
Kerberos is a network authentication protocol named for the three-headed dog that guarded the entrance to Hades in Greek mythology. -provide authentication for client/server applications by using symmetric key cryptography -the Kerberos protocol uses robust cryptography so that a client can prove his or her identity to a server (and vice versa) across an insecure network connection, such as the Internet - After a client and server have used Kerberos to prove their identities, they can also encrypt all their communications to ensure privacy and data integrity as they go about their business. -it assign unique key, called a ticket, to each user who logs on to the network. The ticket is then embedded in messages that permit the receiver of the message (programs or other users) to positively identify the sender of the message. -users need to log in only once, and each resource they want to access checks their tickets for currency and validity when a request for access is made.
Question : Which of the following security models is dependent on security labels?
Mandatory access control
Tokens, smart cards, and biometric devices used for identification and authentication provide robust authentication of the individual by practicing which of the following principles?
Multifactor authentication Multifactor authentication is a method of confirming a user's identity in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism. The evidence or factors are something the user and only the user knows.
A central authority determines which files a user can access. Which of the following best describes this?
Nondiscretionary access control model
Common Approach for SSO
One common approach to managing IDs and passwords is to create a password or PIN vault. These programs use secure methods to locally store IDs and passwords that are protected by a master password that unlocks the vault when it's needed. Free tool Sourceforge.com
Goal of Access Control?
One of the goals of access control is personal accountability, which is the mechanism that proves someone performed a computer activity at a specific point in time. confidentiality and integrity.
Question : Which type of password provides maximum security because a new password is required for each new log-on?
One-time or dynamic password A user is challenged to provide the one-time password displayed on the device at that moment in time as the "dynamic" password plus the password only the user knows. One-time passwords are a commonly used type of dynamic password—a machine-generated, random string that is used once to authenticate. Every time an end user wants to log in, instead of entering their usual static password every time, they would simply input a unique, machine-generated password.
Question : Which of the following is the weakest authentication mechanism?
Passwords Passwords are the weakest link in the security chain. Problems persist as people are responsible for managing their passwords. Passwords can be insecure, easily broken, and inconvenient.
Password are inconvenient
Passwords are inconvenient. In an attempt to improve security, organizations often issue users computer-generated passwords that are difficult, if not impossible, to remember. Instead of trying to remember them, users often write them down and put them where they can see them, such as on a sticky note attached to a monitor or an index card taped to the bottom of a keyboard. Clearly, this compromises the security of the system.
Passwords are repudiable
Passwords are repudiable. Unlike a written signature, when a transaction involves only a password, no real proof can confirm the identity of the individual who made the transaction. Repudiation is the act of denying participation in a transaction or system access. There's no way to prove whether the user shared his or her ID and password with someone else, or whether someone other than the user stumbled upon or cracked the user's password and logged on pretending to be the authorized user. Later in the lesson, you'll see a few alternatives to passwords alone that help information owners gain confidence that users are legitimate.
The Problems with Passwords
Passwords can be insecure (Given the choice, people will choose easily remembered and easily guessed passwords, such as names of relatives, pets) Passwords are easily broken. (*Common words in an ordinary dictionary make for poor choices of passwords. Free and widely available programs are available on the Internet to crack passwords through a dictionary attack.) Password crackers- Cain and Abel and John the Ripper
What is Phishing
Phishing is a high-tech scam that uses spam or pop-up messages to deceive you into disclosing your credit card numbers, bank account information, debit card PINs, social security number, passwords, or other sensitive information.
Which of the following best describes a characteristic of the MAC model?
Prohibitive The Mandatory Access Control (MAC) model is prohibitive, and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules
Remote User Access and Authentication
Remote Access Dial-In User Service (RADIUS) Virtual Private Networks - creating a private tunnel between the endpoints that prevents eavesdropping or data modification. VPNs often use strong cryptography to both authenticate senders and receivers of messages and to encrypt traffic so that it's invulnerable to a man-in-the-middle (MitM) attack.
Question : Which access model is most appropriate for companies with high employee turnover?
Role-based access control Role-based access control (RBAC) groups users with a common access and need. A role for a group of users is assigned to those who perform the same job functions and require similar access to resources. Role-based controls simplify the job of granting and revoking access by assigning users to a group and then assigning rights to the group for access control purposes.
Role-Based Access Control (RBAC)
Role-based access control (RBAC) groups users with a common access need. You can assign a role for a group of users who perform the same job functions and require similar access to resources. Role-based controls simplify the job of granting and revoking access by simply assigning users to a group and then assigning rights to the group for access control purposes. This is especially helpful in companies that experience a high rate of employee turnover or frequent changes in employee roles.
RBAC
Role-based means that groups of people with a similar need for access are placed in a group, and the group itself is provided the access rights. If a person is in the group, they are given access to the resource or asset.
An access control policy for a bank teller is an example of the implementation of which of policy?
Role-based policy Role-based access control (RBAC) groups users with a common access and need. A role for a group of users is assigned to those who perform the same job functions and require similar access to resources
Question 10 : What type of access control model is used on a firewall?
Rule-based access control model
Which of the following would provide the best protection against rainbow table attacks?
Salt and pepper with hashing
Single sign-on
Single sign-on and associated technologies and protocols aim to reduce the proliferation of IDs and passwords, to better control the security of access control mechanisms both within and outside the organization.
Federated Identities
Some examples of federated identity include Facebook, where sites that have an arrangement with Facebook can log in users to their site without requiring them to create a unique ID and password. Other examples of federated identity providers include Google and LinkedIn.
There are three common factors used for authentication:
Something you know (such as a password) Something you have (such as a smart card) Something you are (such as a fingerprint or other biometric method)
MAC
Subject, Object and Labels- used by Military (labels Secret, Top Secret...) Nondiscresionary A central authority determines which files a user can access. The Mandatory Access Control (MAC) model is prohibitive, and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules.
User Provisioning
The activity of bringing new employees into an organization includes granting them access to the systems that they need to perform their duties. User provisioning activities include checking management approvals for granting access. Identity management seeks to reduce the number of different IDs a person requires for accessing various systems, including email IDs, mainframe access IDs (if present), application IDs, and network IDs. User provisioning tools help managers determine what rights their employees possess and to recertify their need for ongoing access periodically (such as semiannually or annually.)
The idea of authentication
The idea of authentication is that only the legitimate user possesses the secret information needed to prove to a system that he or she has the right to use a specific user ID. These secrets are commonly passwords, but history shows that passwords are problematic.
Benefits of RBAC
The most obvious is the significant time savings when combined with automated user provisioning System and application accounts for new hires are created immediately with the correct set of access privileges needed for their job, based on predefined roles for the user's title or responsibilities. Furthermore, compliance and security controls are significantly enhanced by using role-based access control. The roles themselves are already predefined. When managers and business owners perform periodic certifications of access rights, they simply need to review a handful of roles to ensure that the user is in the correct role, instead of reviewing tens or hundreds of individual access rights. Moreover, automated tools can easily detect user privileges (excessive permissions) that are beyond the approved role and provide a mechanism for handling exceptions
Least Privilege (Need to Know)
The objective is to give people the least amount of access to a system that they need to perform the job they're doing. The "need to know" concept governs the privilege (authority) to perform a transaction or access a resource (system, data, and so forth).
Identification Credentials
Think of identification credentials in terms of how you identify yourself in the offline world: name, social security number, student ID number, and so on.
Question : What are the three classic ways of authenticating yourself to the computer security software?
Use something you know, something you have, and something you are.
Two-Factor Authentication (something you have plus something you know (SYH/SYK).)
With a two-factor authentication system, a user has a physical device (a card, token, smart card, USB flash drive, and so forth) that contains his or her credentials, protected by a personal identification number (PIN) or a password that the user keeps secret. This condition is described as something you have plus something you know (SYH/SYK). An example is your debit card and PIN used to access an automated teller machine (ATM) at your bank. The card identifies you as the account holder, and the PIN authenticates you to the device. Because these PINs are usually only four characters long and usually consist of only numbers, the number of possibilities (entropy) of the system is 10,000 (0000 to 9999). Because a brute-force attack will eventually hit the right PIN, the ATM permits only three tries before it retains the card and notes the attempted breach of your account, forcing the user to contact the bank to restore the ATM privilege.
Question : Which of the following passwords is considered the strongest?
golf001 3Elizabeth t1me4g0lf password it is t1me4g0lf A good way to generate a strong password is to devise a phrase that contains ordinary words, names of people or places, and numbers. Also combine the words and numbers with special characters, especially between the words.
Access control
is a central theme of information security. It is needed to meet the goals of confidentiality, integrity, and user accountability, all essential for trust in an information system.
Information Owner
is one who maintains overall responsibility for the information within an information system. In the corporate world, it might be a department head or a division executive. In the academic world, it might be a dean of records or a university president. Information owners can delegate the day-to-day work to a subordinate or to an information technology department, but they cannot delegate the overall responsibility for the information and the system that maintains it. The information owner must be the one to make the decisions about who uses the system and how to recover the system in case a disaster
MAC
means the computer system itself decides access rights based on classifications and clearance
Mandatory Access Control (MAC) or Nondiscrationary Access Control
the system decides who gains access to information based on the concepts of subjects, objects, and labels, as defined here. MAC is most often used in military and governmental systems and is rarely seen in the commercial world. In a MAC environment, objects (including data) are labeled with a classification (Secret, Top Secret, and so forth), and subjects, or users, are cleared to that class of access. Subjects: The people or other systems that are granted a clearance to access an object within the information system. Objects: The elements within the information system that are being protected from use or access. Labels: The mechanism that binds objects to subjects. A subject's clearance permits access to an object based on the labeled security protection assigned to that object. For example, only subjects who are cleared to access Secret objects may access objects labeled Secret or less than Secret, provided that they also possess the need to know. Subjects who are cleared for Top Secret access may access objects labeled Top Secret and objects with a lower classification label.