Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
87 Cards in this Set
- Front
- Back
Basic requirements of Access Control
|
Security, Reliability, Transparency, Scalability, Maintainability, Audit-ability, Integrity and Authentic
|
|
Access Control (Security)
|
Must ensure only authorized personnel access.
|
|
Access Control (Reliability)
|
Assurance that the access control mechanisms function as expected.
|
|
Access Control (Transparency)
|
Minimal impact on the ability of authorized users to interface with the system.
|
|
Access Control (Scalability)
|
Ability to expand based on demands without compromising system performance.
|
|
Access Control (Maintainability)
|
Simple system that is easily maintained.
|
|
Access Control (Auditability)
|
System should be testable and verifiable. (i.e. audit trails and logs)
|
|
Access Control (Integrity)
|
System must be designed to protect subjects, objects and permission s from unauthorized changes.
|
|
Access Control (Authentic)
|
System should ensure that data input are authentic.
|
|
Separation of Duties
|
No one person should have complete control over a single process.
|
|
Least Privilege
|
People or processes should only be allowed access to the resources they absolutely need to accomplish their assigned work.
|
|
Need To Know
|
Not everyone who is cleared for higher levels of access to sensitive or classified systems actually needs all of the access available to them.
|
|
Access Control Types
|
- Administrative (Paperwork)
- Technical / Logical (Software hardware) - Physical (Guards and Ballards) |
|
Information Classification Procedures
|
- Scope
- Process - Ownership - Declassification -Marking and Labeling - Assurance |
|
Access Control Categories
|
- Preventive
- Detective - Corrective - Directive - Deterrent - Recovery - Compensating |
|
Access Control Threat
|
- Denial of Service
- Password Crackers - Keystroke Loggers - Spoofing / Masquerading - Sniffers - Shoulder Surfing - Dumpster Diving - Emanations - TOC/TOU |
|
Access Control Threat (TOC/TOU)
|
Time of check vs. Time of Use is a race condition that takes advantage of changes in the state of the security of an object.
|
|
System Access Control
|
- Identification
- Authentication - Authorization - Accountability |
|
System Access Control (Identification)
|
The process generally employing unique machine-readable names that enables recognition of users or resources as valid accounts.
|
|
System Access Control (Authentication)
|
Verification, validation or proof of the professed identification of a person or node.
|
|
System Access Control (Authorization)
|
Specifies what a user is permitted to do.
|
|
System Access Control (Accountability)
|
The ability to track user activity on a system.
|
|
Authentication Methods
|
- Knowledge (know)
- Ownership (have) - Characteristics (are) |
|
Authentication by knowledge Example
|
Password or passphrase
|
|
Authentication by Ownership
|
- Tokens
- One Time passwords - Smart Cards - Memory Cards - RFID Cards |
|
Asynchronous Token Device
|
Uses a numeric keyboard for challenge-response technology.
|
|
Steps of Asynchronous Token Device
|
Step 1: User initiates login request.
Step 2: Authentication server provides a challenge that can only be answered by the user's token. Step 3: User enters challenge and PIN. Step 4: Token generates response. Step 5: User provides password to auth server. Step 6: Access is granted. |
|
Synchronous Token Types
|
- Event-based Synchronization
- Time-based Synchronization |
|
Event-based Synchronization Token
|
Avoids the problem of time synchronization between the token and server by incrementing the counter with each use.
|
|
Time-based Synchronization
|
Requires that the clock in the token be within 3 or 4 minutes on either side of the clock in the authentication server.
|
|
Contact Smart Cards
|
Provide power to the embedded microprocessor and power to communicate with readers.
|
|
Contactless Smart Card
|
Contain an embedded radio frequency transceiver an work in close proximity to the reader.
|
|
Types of Biometrics
|
Physiological and Behavioral
|
|
Physiological Biometrics
|
Measure features like fingerprints, iris granularity, blood vessels on the retina etc.
|
|
Behavioral Biometrics
|
Measure dynamic characteristics such as voice inflections, keyboard strokes, signature motions etc...
|
|
Biometric Selection Criteria
|
- Accuracy
- Acceptability - Reaction or Processing Time - Population Coverage - Data Processing |
|
False Rejection Rate (FRR)
|
Type 1 Error
|
|
False Acceptance Rate (FAR)
|
Type 2 Error
|
|
Crossover Error Rate (CER)
|
As the sensitivity of the biometric system is adjusted, FAR & FRR values change inversely.
|
|
Identity Management (Manual Provisioning)
|
A manual process to add or change user accounts.
|
|
Identity Management (Complex Environments)
|
Users who need to work with several different systems in multiple locations...different user id's and passwords.
|
|
Identity Management (Outsourcing Risks)
|
Moving business offshore, outsourcing daily operations or application development support puts information assets at greater risk.
|
|
Identity Management Benefits
|
- Headcount Reduction
- Productivity Increase - Risk Management |
|
Identity Management Technologies
|
- Web Access Management (WM)
- Password Management - Account Management - Profile Update |
|
Access Control Technologies
|
- Single Sign-on
- Kerberos - SESAME - Directory Services - Security Domains |
|
Single Sign-on
|
Centralized authentication database
|
|
Legacy Single Sign-on
|
Storing user credentials
|
|
Kerberos
|
An SSO open-standards protocol for authentication in a single security domain. Utilizes Ticket Granting Tickets (TGT) and KDC's
|
|
SESAME
|
Protocol developed by the European Union that addresses multiple or disparate security domains.
|
|
Single Sign On Pros
|
- Efficient Log-on Process
- Encourages users to create stronger passwords. - Centralized administration |
|
Single Sign On- Cons
|
- Single Point of Compromise
- Legacy Interoperability - Implementation Difficulties |
|
Directory Services
|
- Lightweight Directory Access Protocol (LDAP)
- Network Information Services (NIS) - Domain Name System (NIS) |
|
Security Domains
|
- Hierarchical Domain Relationship
- Equivalent Classes of Subjects |
|
Security Domains (Hierarchal)
|
Following the Bell-LaPadula model, subjects are allowed to access objects at or lower than their access level.
|
|
Security Domains (Equivalent)
|
Each domain is encapsulated in a single subject with a separate address in order to achieve isolation from other domains.
|
|
Mandatory Access Control (MAC)
|
1. System
2. Owner 3. Classification 4. Clearance 5. Labeling |
|
Discretionary Access Control (DAC)
|
All that are normally used is DAC. Owner decides.
|
|
Role Based Access Control (RBAC)
|
Based on job description, a person will be assigned a role and inherit the privileges assigned that role.
|
|
Rule Based Access Control
|
A Firewall
|
|
Content Dependent Access Control (CDAC)
|
Access control based on use of a aribiter (content dependent) that filters the retrieval of data based on the content allowed to the that user. Prevents exposure due to "covert channels".
|
|
Access Control List (ACL)
|
List of objects that can be accessed by specific subjects.
|
|
Access Control Matrix
|
An ACL put into a table.
|
|
Subject Oriented Table
|
"Who can access specific objects"
|
|
Non-Discretionary Access Control (NDAC)
|
Up to the security administrator regarding access.
|
|
Constrained User Interface
|
- Menus
- Database Views - Physically constrained user interfaces - Encryption |
|
Centralized Access Control
|
- RADIUS (UDP)
- TACACS+ (TCP) - Diameter |
|
Network based IDS
|
Packets
|
|
Host-based
|
Permission
|
|
Application Based
|
Process
|
|
Intrusion Prevention Systems
|
- Host Based
- Network Based - Content-based - Rate-Based - KPI |
|
Intrusion Prevention Systems (KPI)
|
Checking to make sure things are working.
|
|
Analysis Engine Methods
|
- Pattern or Signature-Based
- Patter Matching - Stateful Matching - Anomaly-Based - Statistical - Traffic - Protocol - Heuristic Scanning |
|
Analysis Engine (Pattern)
|
Only works on known attacks; waits to be identified
|
|
Analysis Engine (Pattern - Stateful)
|
Analysis of connection versus pieces of it. i.e. port scan, arps and pinging together is suspicious
|
|
Analysis Engine (Anomaly)
|
Establish a baseline of normal activity then sense any abnormal activity (anomalies)
|
|
Analysis Engine (Anomaly - Statistical)
|
Based on an anomaly in comparison to a numbers baseline
|
|
Analysis Engine (Anomaly - Traffic)
|
Anomaly based on traffic abnormalities.
|
|
Analysis Engine (Anomaly - Protocol)
|
Discards packets based on abnormalities in comparison to protocol norms.
|
|
Penetration Testing
|
Good guy testing
|
|
Areas to Test
|
- Application Security
- Denial of Service - War Dialing / War Driving - Wireless Penetration - Social Engineering - PBX and IP Telephony |
|
Pen Testing (External) types
|
- Zero-knowledge (Blind)
- Partial-Knowledge |
|
Pen Testing (Internal) Types
|
- Full-knowledge
- Targeted - Blind - Double-blind |
|
Double Blind
|
Internal teams are unaware that an assessment is occurring.
|
|
Partial Knowledge
|
Grey Box
|
|
Full-Knowledge
|
White Box
|
|
Pen Testing Steps
|
1. Discovery
2. Enumeration 3. Vulnerability 4. Exploitation |
|
Testing Hazards and Reporting
|
- Production Interruption
- Documentation |