Access Control

Question 1

CIA

Answer 1

CIA- Confidentiality, Integrity, Availability

Question 2

DAD

Answer 2

DAD (disclosure, alteration, destruction) opposes CIA

Question 3

IAAA

Answer 3

IAAA –

• Identity,
• Authentication (proving an id claim),
• Authorization (actions you can perform),
• Accountability (or Auditing)

Question 4

Non-repudiation

Answer 4

Non-repudiation- user can’t deny performing a transaction

Question 5

Least Privilege

Answer 5

Least Privilege- minimum amount of access to do job (this is an ideal or target)

Question 6

Need to Know

Answer 6

Need to Know- more granular than Least Privilege (object level). E.g. have a secret clearance, and cleared for a program.

Question 7

Subject

Answer 7

Subject- active entity on a system (user, running program)

Question 8

Object

Answer 8

Object- passive data on system (file)

Question 9

Defense in Depth

Answer 9

Defense in Depth- (Layered Defense) multiple safeguards in layers (or controls); e.g., you had to get to a workspace, authn to workstation, the network, then the application

Question 10

Access Control Models (3 main models)

Answer 10

Access Control Models (3 main models)

• DAC
• MAC
• RBAC

Question 11

DAC

Answer 11

DAC (Discretionary Access Control)- gives data owners full control of objects; access given via ACL based on Id (rather than roles as in RBAC)

Question 12

MAC

Answer 12

MAC (Mandatory Access Control)- based on subject clearance + object labels

• Data owners cannot grant access!
• OS makes the decision based on a security label system
• Subject’s label must dominate the object’s label (greater than or equal to)
• Users and Data are given a clearance level (confidential, secret, top secret etc)*
• Rules for access are configured by the security officer and enforced by the OS.
• focus on confidentiality; difficult & expensive so it’s used for secure programs

Examples: SELinux, Trusted Solaris, Honeywell’s SCOMP, Purple Penelope, LIDS (Linux Intrusion Detection System)

Question 13

RBAC

Answer 13

RBAC (Role-Based Access Control) (some consider a form of MAC):

• Also called non-discretionary
• Scales better than DAC and helps deter authZ creep
• Role Assignment- users are assigned an active role
• Role Authorization- users only have roles they are authZ for
• Transaction Authorization- only execute authz transactions

Question 14

Other Access Control Technologies

Answer 14

Access Control Technologies

• Task-based Access Control
• Content Dependent Access Control
• Context (e.g. time) Dependent Access Control
• Rule-based Access Control
• Access Control Matrix
• Constrained User Interface
• Restrict user access by not allowing them see certain data or have certain functionality (based on the Clark Wilson model of ‘keep users out of your system’)

Question 15

IBM Access provisioning lifecycle rules

Answer 15

IBM Access provisioning lifecycle rules

1. Password compliance checking
2. Notifying users to change password before expiration
3. Identifying accounts that should be suspended due to inactivity for more than 30 day
4. Identifying unused new accounts
5. Identifying accounts for deletion due to being suspended more than 30 days
6. Revoking accounts when a contract expires or user leaves

Question 16

Access Aggregation

Answer 16

Access Aggregation- users gain access to more systems over time

Question 17

Authorization Creep

Answer 17

Authorization Creep- users gain more entitlements without shedding the old ones

Question 18

RADIUS

Answer 18

RADIUS- Remote AuthN Dial-In User Service; most often used

• Centralized
• UDP (User Datagram Protocol)
• Provides limited accountability
• Problems with flexibility, scalability, reliability, and security
• Encrypts only password
• Uses PAP, CHAP, or EAP

Request and response carried in AVP (attribute-value pairs) (8 bits):

• Access-Request
• Access-Accept
• Access-Reject
• Accounting-Request
• Accounting-Response
• Access-Challenge
• Status-Server
• Status-Client

Question 19

Diameter

Answer 19

Diameter- successor & improver on RADIUS

o Centralized

o Is currently draft standard

o Uses 32 bit AVP

o Support for mobile

o Single server to manage policies

o Uses TCP (Transmission Control Protocol)

Question 20

TACACS

Answer 20

TACACS (Terminal Access Controller Access Control System)

o Similar function to RADIUS

o UDP (can also use TCP)

o Centralized

o Authn using Id and static (reusable) password >> vulnerability

Question 21

TACACS+

Answer 21

TACACS+

o TCP

o Centralized

o Multifactor AuthN

o Not backward compatible to TACACS

o Encrypts all data (uname & password) below the header

Question 22

PAP

Answer 22

PAP (Password Authentication Protocol) o Password sent in clear text

Question 23

CHAP

Answer 23

CHAP (Challenge Handshake Authentication Protocol) o Protection against playback attack o Uses secret (not sent over the link) known to authenticator and peer for authN o Possible for mutual authN o has stored passwords in clear-text Three-way authN process: 1) server sends challenge (nance); 2) client sends hashed challenge and password to server; 3) server compares hash against expected results

Question 24

Separation of duties

Answer 24

Separation of duties- have more than one user perform sensitive transactions

Question 25

Rotation of duties

Answer 25

Rotation of duties- helps mitigate collusion; review work of peers

Question 26

NSI Labels (objects)

Answer 26

NSI Labels (objects) o Top Secret- exceptional grave damage to national security o Secret- serious damage o Confidential- damage

Question 27

Additional object labels

Answer 27

Additional object labels: o Sensitive but unclassified (SBU) o For Official Use Only (FOUO) o Sensitive Compartmented Information (SCI)

Question 28

Access Control Defensive Types

Answer 28

Access Control Defensive Types o Preventative- prevent actions from occurring, e.g., pre-employment drug screening o Detective- alert during or after successful attack, e.g., alarm o Corrective- typically works with detective to correct damage, e.g., anti-virus scan & quarantine o Recovery- restore system/org functionality, e.g., reload of software or data o Deterrent- deter users from performing actions, e.g. security sign o Compensating- addition control to compensate for weakness

Question 29

Authentication Methods

Answer 29

o Type 1- Something you know o Type 2- Something you have o Type 3- Something you are- biometric

Question 30

Type 1 authN

Answer 30

Type 1- Something you know o Static passwords- reusable o Passphrases- words in a phrase o One-time Password (OTP)- secure but difficult to manage o Dynamic passwords- change at regular intervals

Question 31

Type 2 authN

Answer 31

Type 2- Something you have o Synchronous dynamic tokens- time or counters to synch a displayed token o Asynchronous dynamic token- (challenge response tokens), challenge for user to enter info and their pin \>\> output of device is sent to system, e.g. smartcard

Question 32

Type 3 authN

Answer 32

Type 3- Something you are- biometric o Template or file size should be 1K or less o Should not cause psychological stress o Must be used by all staff or have compensating controls o Possible to exchange bodily fluids

Question 33

Bio Enrollment

Answer 33

Enrollment- user registering: provides name, PIN/password, and bio info

Question 34

Bio Throughput

Answer 34

Throughput- authN using bio, typically 6-10 seconds

Question 35

FRR

Answer 35

False Reject Rate (FRR)- type 1 error, authorized subject rejected

Question 36

FAR

Answer 36

False Accept Rate (FAR)- type 2 error, unauthorized accepted

Question 37

CER

Answer 37

Crossover Error Rate (CER) or Equal Error Rate (EER)- where FRR = FAR, describes overall accuracy (higher is better)

Question 38

Fingerprints

Answer 38

Fingerprints- 40 data points usually scanned; most widely used; main minutiae types:[![]() ](https://s3.amazonaws.com/brainscape-prod/system/cm/140/576/585/a_image_card.jpg?1431623422)

Question 39

Retina scan

Answer 39

Retina scan- laser scan of capillaries; rarely used due health and privacy issues

Question 40

Iris scan

Answer 40

Iris scan- picture of iris; high accuracy, passive

Question 41

Password management (adopted by DoD and MS community)

Answer 41

Password management (adopted by DoD and MS community) o history = 24 o Maximum age = 90days o Minimum age = 2 days o Minimum length = 8char o Complexity requirements o No reversible encryption (hashing)

Question 42

Kerberos

Answer 42

Kerberos- three headed dog (AAA) guarding Hades o Used in Windows2000+ and some Unix o Key distribution model, does not transmit passwords o Uses DES and AES for encryption o Symmetric encryption \>\> protects against sniffing and replay attacks (via timestamps) o Principles include the User and Network Services o KDC- Key Distribution Center which authN principles and sends a Session Key and TGT Key (Ticket Granting Ticket) o TGS (Ticket Granting Server)- receives TGT and Session Key from principal and issues C/S (client/server) Key & Service Key (for server) to principal o Realms – a grouping of principals that a KDC provides service for, looks like a domain name o Server receives Session Key and Service Key o KDC and TGS can go down and TGT will still be valid Weaknesses: 1. KDC stores all principals keys; 2. KDC & TGS are single point of failure; 3. can steal locally cached credentials; 4. plaintext storage of symmetric keys

Question 43

SESAME

Answer 43

SESAME (Secure European System for Applications in a Multivendor Environment) o SSO that Adds to Kerberos using PKI o Uses **PACS** (Privileged Attribute Certificates) rather than tickets, PACS are digitally signed and contain the subjects identity, access capabilities for the object, access time period and lifetime of the PAC. o PACS come from the Privileged Attribute Server (**PAS**) o supports heterogeneous environments o scalability of public key encryption (asymmetric key); symmetric keys not stored in plaintext o more sophisticated access control o better manageability, audit, and delegation

Question 44

KryptoKnight

Answer 44

KryptoKnight- older obsolete SSO Technology

Question 45

Security Audit Logs

Answer 45

Security Audit Logs- NIST directs to collect the following logs * Network security SW/HW (antivirus, remote access, firewall, authn) * Operating System (sys events, audit records) * Application (request, response, operational actions) Five mistakes: 1. Not reviewed regularly or timely 2. Not stored long enough 3. Not standardized or viewable by toolsets 4. Not prioritized 5. Only reviewed for the bad stuff