• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/87

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

87 Cards in this Set

  • Front
  • Back
Basic requirements of Access Control
Security, Reliability, Transparency, Scalability, Maintainability, Audit-ability, Integrity and Authentic
Access Control (Security)
Must ensure only authorized personnel access.
Access Control (Reliability)
Assurance that the access control mechanisms function as expected.
Access Control (Transparency)
Minimal impact on the ability of authorized users to interface with the system.
Access Control (Scalability)
Ability to expand based on demands without compromising system performance.
Access Control (Maintainability)
Simple system that is easily maintained.
Access Control (Auditability)
System should be testable and verifiable. (i.e. audit trails and logs)
Access Control (Integrity)
System must be designed to protect subjects, objects and permission s from unauthorized changes.
Access Control (Authentic)
System should ensure that data input are authentic.
Separation of Duties
No one person should have complete control over a single process.
Least Privilege
People or processes should only be allowed access to the resources they absolutely need to accomplish their assigned work.
Need To Know
Not everyone who is cleared for higher levels of access to sensitive or classified systems actually needs all of the access available to them.
Access Control Types
- Administrative (Paperwork)
- Technical / Logical (Software hardware)
- Physical (Guards and Ballards)
Information Classification Procedures
- Scope
- Process
- Ownership
- Declassification
-Marking and Labeling
- Assurance
Access Control Categories
- Preventive
- Detective
- Corrective
- Directive
- Deterrent
- Recovery
- Compensating
Access Control Threat
- Denial of Service
- Password Crackers
- Keystroke Loggers
- Spoofing / Masquerading
- Sniffers
- Shoulder Surfing
- Dumpster Diving
- Emanations
- TOC/TOU
Access Control Threat (TOC/TOU)
Time of check vs. Time of Use is a race condition that takes advantage of changes in the state of the security of an object.
System Access Control
- Identification
- Authentication
- Authorization
- Accountability
System Access Control (Identification)
The process generally employing unique machine-readable names that enables recognition of users or resources as valid accounts.
System Access Control (Authentication)
Verification, validation or proof of the professed identification of a person or node.
System Access Control (Authorization)
Specifies what a user is permitted to do.
System Access Control (Accountability)
The ability to track user activity on a system.
Authentication Methods
- Knowledge (know)
- Ownership (have)
- Characteristics (are)
Authentication by knowledge Example
Password or passphrase
Authentication by Ownership
- Tokens
- One Time passwords
- Smart Cards
- Memory Cards
- RFID Cards
Asynchronous Token Device
Uses a numeric keyboard for challenge-response technology.
Steps of Asynchronous Token Device
Step 1: User initiates login request.

Step 2: Authentication server provides a challenge that can only be answered by the user's token.

Step 3: User enters challenge and PIN.

Step 4: Token generates response.

Step 5: User provides password to auth server.

Step 6: Access is granted.
Synchronous Token Types
- Event-based Synchronization
- Time-based Synchronization
Event-based Synchronization Token
Avoids the problem of time synchronization between the token and server by incrementing the counter with each use.
Time-based Synchronization
Requires that the clock in the token be within 3 or 4 minutes on either side of the clock in the authentication server.
Contact Smart Cards
Provide power to the embedded microprocessor and power to communicate with readers.
Contactless Smart Card
Contain an embedded radio frequency transceiver an work in close proximity to the reader.
Types of Biometrics
Physiological and Behavioral
Physiological Biometrics
Measure features like fingerprints, iris granularity, blood vessels on the retina etc.
Behavioral Biometrics
Measure dynamic characteristics such as voice inflections, keyboard strokes, signature motions etc...
Biometric Selection Criteria
- Accuracy
- Acceptability
- Reaction or Processing Time
- Population Coverage
- Data Processing
False Rejection Rate (FRR)
Type 1 Error
False Acceptance Rate (FAR)
Type 2 Error
Crossover Error Rate (CER)
As the sensitivity of the biometric system is adjusted, FAR & FRR values change inversely.
Identity Management (Manual Provisioning)
A manual process to add or change user accounts.
Identity Management (Complex Environments)
Users who need to work with several different systems in multiple locations...different user id's and passwords.
Identity Management (Outsourcing Risks)
Moving business offshore, outsourcing daily operations or application development support puts information assets at greater risk.
Identity Management Benefits
- Headcount Reduction
- Productivity Increase
- Risk Management
Identity Management Technologies
- Web Access Management (WM)
- Password Management
- Account Management
- Profile Update
Access Control Technologies
- Single Sign-on
- Kerberos
- SESAME
- Directory Services
- Security Domains
Single Sign-on
Centralized authentication database
Legacy Single Sign-on
Storing user credentials
Kerberos
An SSO open-standards protocol for authentication in a single security domain. Utilizes Ticket Granting Tickets (TGT) and KDC's
SESAME
Protocol developed by the European Union that addresses multiple or disparate security domains.
Single Sign On Pros
- Efficient Log-on Process
- Encourages users to create stronger passwords.
- Centralized administration
Single Sign On- Cons
- Single Point of Compromise
- Legacy Interoperability
- Implementation Difficulties
Directory Services
- Lightweight Directory Access Protocol (LDAP)
- Network Information Services (NIS)
- Domain Name System (NIS)
Security Domains
- Hierarchical Domain Relationship
- Equivalent Classes of Subjects
Security Domains (Hierarchal)
Following the Bell-LaPadula model, subjects are allowed to access objects at or lower than their access level.
Security Domains (Equivalent)
Each domain is encapsulated in a single subject with a separate address in order to achieve isolation from other domains.
Mandatory Access Control (MAC)
1. System
2. Owner
3. Classification
4. Clearance
5. Labeling
Discretionary Access Control (DAC)
All that are normally used is DAC. Owner decides.
Role Based Access Control (RBAC)
Based on job description, a person will be assigned a role and inherit the privileges assigned that role.
Rule Based Access Control
A Firewall
Content Dependent Access Control (CDAC)
Access control based on use of a aribiter (content dependent) that filters the retrieval of data based on the content allowed to the that user. Prevents exposure due to "covert channels".
Access Control List (ACL)
List of objects that can be accessed by specific subjects.
Access Control Matrix
An ACL put into a table.
Subject Oriented Table
"Who can access specific objects"
Non-Discretionary Access Control (NDAC)
Up to the security administrator regarding access.
Constrained User Interface
- Menus
- Database Views
- Physically constrained user interfaces
- Encryption
Centralized Access Control
- RADIUS (UDP)
- TACACS+ (TCP)
- Diameter
Network based IDS
Packets
Host-based
Permission
Application Based
Process
Intrusion Prevention Systems
- Host Based
- Network Based
- Content-based
- Rate-Based
- KPI
Intrusion Prevention Systems (KPI)
Checking to make sure things are working.
Analysis Engine Methods
- Pattern or Signature-Based
- Patter Matching
- Stateful Matching
- Anomaly-Based
- Statistical
- Traffic
- Protocol
- Heuristic Scanning
Analysis Engine (Pattern)
Only works on known attacks; waits to be identified
Analysis Engine (Pattern - Stateful)
Analysis of connection versus pieces of it. i.e. port scan, arps and pinging together is suspicious
Analysis Engine (Anomaly)
Establish a baseline of normal activity then sense any abnormal activity (anomalies)
Analysis Engine (Anomaly - Statistical)
Based on an anomaly in comparison to a numbers baseline
Analysis Engine (Anomaly - Traffic)
Anomaly based on traffic abnormalities.
Analysis Engine (Anomaly - Protocol)
Discards packets based on abnormalities in comparison to protocol norms.
Penetration Testing
Good guy testing
Areas to Test
- Application Security
- Denial of Service
- War Dialing / War Driving
- Wireless Penetration
- Social Engineering
- PBX and IP Telephony
Pen Testing (External) types
- Zero-knowledge (Blind)
- Partial-Knowledge
Pen Testing (Internal) Types
- Full-knowledge
- Targeted
- Blind
- Double-blind
Double Blind
Internal teams are unaware that an assessment is occurring.
Partial Knowledge
Grey Box
Full-Knowledge
White Box
Pen Testing Steps
1. Discovery
2. Enumeration
3. Vulnerability
4. Exploitation
Testing Hazards and Reporting
- Production Interruption
- Documentation