Fundamentals of Information Security Chpt 5***

Firewalls

"any incoming connection"-->port 80(HTTP) -->"Deny"

Example of a Rule Based Access Control

-Fred from the it department has been assigned secret clearance -his work hours must be b/w "9am -5pm" -then allow access to "email server" & "customer support DB"

Examples of Single Sign-On (SSO)

-Keberos[Microsoft] -Active Directory Domain Controller--SESAME[European]

Mandatory Access Controls(MAC)

-Levels of classification for several users -system (not he owner) is going to set access to objects(resources) -example is : top secret, secret, classified, confidential (read privileges downward, not upward)

When it comes to privacy, organizations are concerned about which of the following?

-Liability and harassment suits -skyrocketing losses from employee theft -productivity losses form employees shopping or performing other non-work-related tasks online

Disadvantage of a Single Sign-On(SSO)

-Useful system for management, but difficult to put in place.

Bel_La Padula Model

-focuses on the confidentiality of data and control of access to classified information -protects confidentiality of users -"secure state transformation"

Challenges to access control include which of the following?

-laptop loss -exploiting hardware -eavesdropping -exploiting applications

Methods of Constraining Users in a Constrained User Interface

-menus(the menu that comes up does not include closed areas) -database views-->view-based access control(VBAC)--used with relational databases -physically constrained user interface--> POS machines(ATM) -encryption-constrains users because it requires them to have the decryption key to reach or read information stored

Brewer & Nash Integrity Model

-most widely adopted model -avoid "conflicts of interest" among users -"Chinese Wall Security Policy" defines a barrier [set of rules] that makes subject not connect with the object on the other side of the wall. ...see fig 5.7

Discretionary Access Control(DAC)

-owner of the resource decides the permissions -very common in operating systems such as Linux, Mac, Windows

Examples of Access Controls Implementation:

-passwords/PINS -protected reader -lock & key -swipe reader -biometrics -RFID

Advantages of Biometrics

-person must be physically present to authenticate. -there is nothing to remember -biometrics are hard to fake -lost ids or forgotten passwords are not a problem

Disadvantages of Biometrics

-physical characteristics may change -disabled users my have difficulty with systems based on fingerprints, hand geometry, or signatures -not all techniques are equally effective -response time may be too slow -devices required can be expensive

Non-Discretionary Access Control

-role-based access controls-"organization structure" -A set of roles of how subject & objects interact -users are assigned "roles" -scalability compared to DAC -role assignments are based on "Principle of Least Privilege" --"Need to know"

Rule-Based Access Controls

-specific rules based on multiple access controls mechanisms -"if" x from y "logic"

Advantages of Single Sign-On(SSO)

-very effective in a structural organzation -provides stronger re-authentication -better centralized access -it provides for failed log on attempts threshold and lockouts (protects against an intruder using brute force to obtain an authentic user ID and password combination)

**One-Time Passwords

-very effective with "replay attacks" -just valid for only one logic session or transaction -PC's, digital devices -avoid a number of shortcomings with traditional password-based authentication systems -not vulnerable to "replay attacks"

Access Controls Define

-who the users are?(single or group) -what users can do? -Which resources they can reach? -What operations they can perform?

FOUR PARTS of Access Controls:

1) Authorization 2)Identification 3) Authentication 4)Accountability

Four Parts of Access Control are divided into TWO PHASES

1) the Policy Definition Phase 2) the Policy Enforcement Phase

Two TYPES or LEVELS of Access Control

1)Physical Access Controls 2) Logical Access Controls

Password Best Practices

1. Account Lockout Policy-number of failed logon attempts trigger a THRESHOLD, account is automatically disabled 2. Password Expiration Policy

THREE Efficiency Measures in Biometrics

1. Accuracy 2. Acceptability 3. Reaction Time

Types of Password attacks

1. Brute-force 2. Dictionary 3. Rainbow Tables

Steps in a Asynchronous Challenge Response Session

1. Client PC: user initiates a log on request 2. Authentication server provides a challenge: 3. Client PC: User computes response to the challenge into the calculation device 4.. Client PC: Response is going to be sent. The token generates a response t the challenge, which appears on window of token. 5. Authentication Server: Acknowledge the response and provider authentication 6. Access is granted.

The CENTRAL ELEMENTS that define the components of Access Control Policies

1. Defining an Authorization Policy 2. Identification Methods and Guidelines 3. Authentication Processes and Requirements

TWO methods to Dispose Media

1. Degausser 2. Repeated Writing

TYPES of Biometrics

1. Finger printing 2. Hand geometry 3. Retina Scan(very accurate) 4. Iris Scan 5. Facial Recognition 6. Voice Pattern 7. Keystroke Dynamics(considered most accurate)

Cloud Service Provider(CSP) Disadvantages

1. Greater difficulty in keeping data private 2. Greater demand for constant network access 3. Greater need for client to trust outside vendor

Three Common Cloud Services

1. Infrastructure as a Service(IaaS) 2. Platform as a Service(PaaS) 3. Software as a Service(SaaS)

Cloud Service Provider(CSP) Advantages

1. No need to maintain a data center 2. No need for any business continuity plan 3. On-demand provisioning

Four Categories of Cloud Computing

1. Private Cloud 2. Community Cloud 3. Public Cloud 4. Hybrid Cloud

FOUR PARTS of the Security Kernel

1. Reference Monitor 2. Subject 3. Object 4. Audit log

The Three Axioms of Biba Integrity Model

1. Simple integrity axiom 2. star integrity axiom 3. a subject may not ask for service from subject that has higher level of integrity

**TWO FORMS of Authentication

1. Single-Factor Authentication 2. Two- or Multi-Factor Authentication

TWO categories of Authentication by Characteristics/Biometrics

1. Static 2. Dynamic

Example of Security Kernel Enforcing Access Control

1. Subject requests an action("read") on the object..the security kernel intercepts the request 2. verification with "rule-sets" or ACLS stored in the security kernel database 3. Kernel allows or denies the requested action as the object(by the subject) 4. All actions are logged for later tracking and analysis.

Two Types of Tokens

1. Synchronous Tokens 2. Asynchronous Tokens

Identification Methods(Access Control)

1. Username & Passwords 2. PIN 3. Smart Cards (alternative way for not remembering longer passwords) 4. Biometrics (physical attributes)

FOUR ELEMENTS of access to manage Access Control policies well:

1. Users 2. Objects/Resources 3. Actions 4. Relationships or Permissions(read, write, execute)

Clark and Wilson Integrity Model addresses three Integrity Goals:

1. stops unauthorized users from making changes 2. It stops authorized users from making improper changes-->"separation of duties" 3. Maintains internal and external consistency

**Three Authentication Types

1.Knowledge 2. Ownership 3. Characteristics

Which answer best describes the accountability component of access control?

Accountability is the process of creating and maintaining the policies and procedures necessary to ensure proper information is available when an organization is audited.

Routers

Any source IP and Port

Which answer best describes the authentication component of access control?

Authentication is the validation or proof that the subject requesting access is indeed the same subject who has been granted that access.

Which answer best describes the authorization component of access control?

Authorization is the process of determining who is approved for access and what resources they are approved for.

Authentication(Access Control)

Can their identities be verified?

Physical access, security bypass and eavesdropping are examples of how access controls can be_____.

Compromised

Keystroke Dynamics

Considered the "most accurate". dwell time and flight time of the keystrokes.

The Bell-La Padula model focuses on the confidentiality of data and the control of access to classified information.

Discretionary access control (DAC);

When the owner of the resource determines the access and changes permission as needed, it is know ans______.

Discretionary access control(DAC)

Which biometric technique (scan) is not very accurate for subject identification?

Facial Recognition

Access controls cannot be implemented in various forms, restriction levels, and at different levels within the computing environment.

False; it can be implemented

How many Formal Models of Access Controls ?

Four: 1. Discretionary Access Control(DAC) 2. Mandatory Access Control(MAC) 3. Non-discretionary Access Control 4. Rule-Based Access Control

Acceptability(biometrics)

How comfortable is it for the user? If the users are not comfortable using the system, they may refuse to submit to it.

Identification (access control)

How they are identified?

Which answer best describes the identification component of access control?

Identification is the method a subject use to request access to a system.

Which answer best describes the identification component of access control?

Identification is the method a subject uses to request access to a system.

Asynchronous Tokens

Independent Software to be installed on the client

Kerebos(slide)

KDC(key distribution center) AS(authentication service) TGS(ticket granting service) 1. Authenticate the user "stored secret"--Bob wants access for a file server 2. TGT is created and supplied to Bob 3. Bob would use TGT to request access to a file system--Service ticket is provided 4. Service Ticket Authenticates Bob to give access to file

When you log on to a network, you are presented with some combination of username, password, token, smart card, or biometrics. You are then authorized or denied access b the system. This is an example of ________.

Logical Access Controls

When you log on to a network, you are presented with some combination of username, password, token, smart card or biometrics. You are then authorized or denied access by the system. This is an example of _________.

Logical access controls

Software as a Service(SaaS)

Only distribute the software access on virtual machines or physical machines -may have web servers to host the service Examples: Google Docs, Microsoft 365, Amazon

Characteristics(Authentication, Access Control)

Something that is unique to you, biometric traits such as fingerprint, iris, etc

**Ownership(Authentication, Access control)

Something you have, such as a smart card, key, badge, or token...something you have or possess

Which of the following is an example of a formal model of access control?

The Clark and Wilson Integrity Model

The Policy Enforcement Phase(Access Control)

The identification, authentication, and accountability processes operate this phase.

Threshold

The number of failed log on attempts that trigger an account action called a threshold. The user may be locked out until reset by security officer.

Physical Access Controls

These control entry into buildings, parking lots, and protected areas. ie: door & key

Logical Access Controls

These controls access to a computer system or network. ie: unique passwords and pins

True or False. Physical access controls deter physical access to resources, such as buildings or gated parking lots.

True

True or False: Access controls are policies or procedures used to control access to certain items

True

True or False: Access controls are policies or procedures used to control access to certain items.

True

True or False: The security kernel enforces access control of computer systems.

True

True or false: The security kernel enforces access control of computer systems.

True

Asynchronous Tokens

Uses Challenge-Response Mechanism

Static(psychological)

What you are. Include recognizing facial patterns, fingerprints, iris geometry

Dynamic(Behavioral)

What you do. voice inflection, keystroke dynamics, and signature patterns.

Private Cloud

a single organization

Star Integrity Axiom

a subject cannot change(modify) objects that has a higher level of integrity

Simple Integrity Axiom

a subject cannot read objects that has a lower level of integrity than the subject does

Constrained User Interface

a user's ability to get into-or interface with- certain system resources is restrained by users rights and permissions are restricted and constraints are put on the device or program providing the interface.; example is an ATM.

**Biba Integrity Model

addresses only the confidentiality of datea -uses three axioms for preserving integrity 1. Simple integrity axiom 2. star integrity axiom 3. a subject may not ask for service from subject that is higher level of integrity

Single Sign-On(SSO)

allows users to sign on to a computer or network once, and have their identification and authorization credentials allow them into all computer and systems where they are authorized.

Public Cloud

available to unrelated organizations or individuals

Accuracy(biometrics)

biometric devices are not perfect. Has two error rates associated with it[false rejection rate(FRR) and false acceptance rate(FAR)] with the trade off between the FRR and FAR being the crossover error rate(CER).

Degausser

creates a magnetic field that erases data from magnetic storage

Clark & Wilson Integrity Model

focuses on what happens when users allowed into a system try to do things they are not permitted to do. It also looks at internal integrity threats. These two components were missing from Biba's model

**KEREBOS

is a computer-network authentication protocol that allows nodes communicating over non-secure network to prove their identity to one another in a secure manner.

Access Control Policy

is a set of rules that allows a specific group of users to perform a particular set of actions on a particular set of resources.

Smart Card

is a token shaped like a credit card that contains one or more microprocessor chips embedded in it(contact or contactless); are PIN enabled chip cards (EMV)

Authentication By Knowledge

is based on something you know such as a password, passphrase, or PIN.**They are also the weakest

Security Kernel

is the central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems.

Identification(Access Control)

is the method a subject uses to request access to a system or resource

False Acceptance Rate(FAR)

is the rate at which invalid subjects are accepted.

False Reject Rate(FRR)

is the rate at which valid subjects are rejected

Authentication by Ownership

is the second type of verification. This is based on something you have, such as a smart card, a key, a badge or a token.

Using a Passphrase

mainly used on public and private key encryption

Cloud Service Provider(CSP)

maintains several data centers with racks of server computers. Each server runs multiple virtual machines and is able to provide service to many clients simultaneously.

The Security Kernel

mediates all access request and permits access only when appropriate rules or conditions are met.

Hybrid Cloud

multiple types of combinations

Media Disposal Requirements

prevent attackers from getting files, memory and other protected data

**Authentication(access control)

proves that the subject requesting access is the same subject who has been granted access. Are users who they say they are?

Platform as a Service(PaaS)

provides users access to an entire set of platform along iwth necessary o/s & virtual machines, network components

Infrastructure as a Service(IaaS)

provides users with physical access to a virtual machine

Community Cloud

shared among several organizations

Crossover Error Rate(CER)

si the point at which the FRR and FER are equal. is the measure of the system's accuracy expressed as a percentage[FRR = = FAR]

**Knowledge(Authentication, Access controls)

something you know, such as a password, passphrase, or PIN.

Reaction Time(Biometrics)

system to check and provide response? [iris vs retina] Reaction time must be fast for most checkpoints, anything too slow hinders productivity and access.

The Policy Defenition Phase(Access Control)

the AUTHORIZATION process operates this phase

Accountability(access control)

the business part, auditing(logs)

Time or Counter-Based Synchronization

the current time is used as the input value. The token generates a new dynamic password(usually every minute) that is displayed in the window of the token.

Access Control

the method of protecting a resource so that its only used by those allowed to use it.

Reference Monitor

the security kernel provides a central point of access control and implements the reference monitor concept.

Cloud Computing

to share distributed users among users, as and when they need them

Synchronous tokens

uses an algorithm that calculates a number at both the authentication server and the device. OTP(one time password)

USB Token

uses public key infrastructure(PKI) technology and dont provide one-time passwords. Is a hardware device that you plug into your computer's USB port

Two or Multi-Factor Authentication

using a combination of authentication "replay attacks"**prevents "REPLAY ATTACKS"

The process of identifying, quantifying, and prioritizing the vulnerabilities in a system is know as a __________.

vulnerability assessment

Authorization(access control)

who is approved for access and what exactly can they use?

Repeated Writing

write or format operation: Repeatedly writing random characters over data usually will destroy the data...this is called overwriting