Card Set Information
CISSP Access Control
Chapter 4 Access Control
The security features that control how users and systems communicate and interact with one another.
The flow of information between subject and object
An active entity that requests access to an object or the data in an object
A passive entity that contains information
Method of establishing the subject’s (user, program, process) identity.
Use of user name, user ID, account number, or other public information.
Method of proving the identification information
Something a person is, has, or does.
Use of biometrics, passwords, passphrase, token, or other private information.
Using Criteria to make a determination of operations that subjects can carry out on objects.
e.g. "I know who you are .. what am I willing to let you to do?"
Audit logs and monitoring to track user activity
biometrics - type I error
A biometric system rejects an authorized user.
biometrics - type II error
The system accepts an impostor that should be rejected.
Cross-over Error Rate (CER) or Equal Error Rate (EER)
Rating stated as a percentage represents the point at which the false rejection rate equals the false acceptance rate.
Types of Biometrics
Iris Scan - mpst accurate
Electronic Monitoring - replay attack
Access to Password file
Password hashing andencryption
Limit logon attempts
Answer to several questions to verify a person's identity
Used for temporary authentication and then not able to be used again - resetting of password
Synchronous Token Device
RSA - time-based
Time on token device and secret key create the one-time password - Authentication service and tokent device must share the same time within the internal clocks.
counter-synchronization - push button on token device, next authentication value,
BOTH token device and authentication service must share the same secret key base for encryption and decryption
1. Challange value to end-user
2. End user enters challenge value and pin into token device
3. Token device presents different value
4. User enters new value into workstation
5. Value is sent to authentication server which is expecting a certain value
Is a sequence of characters that is longer than a password.
Takes the place of a password.
Can be more secure than a password because it is more complex.
Memory Cards: Holds authentication information - but cannot process information. (ATM card)
Holds authentication information and can process information.
Contact - gold seal - must be inserted into card reader
Contactless - has an antennea that broadcasts information to reader once within a certain electromagnetc field
Hybrid - contactless smart card that has two processors which can interact with eitehr the contact or contactless formats
Combi - one microprocessor chip that can interact with both contact and contactless
Attacks on Smart Cards
Fault Generation - presenting a smart card with an error in order to reveal the encryption function and possibly uncovering the encryption key
Microprobing - Remove protective materia of smart card and gain direct access to data on card's ROM chips
Side Channel Attacks (nonintrusive attacks)
Differential Power Analysis - examining the power emitted during processing
Electromagnetic Analysis - examining the frequencies emitted
Default to Zero
Need to Know Principle
Access Control Lists
KDC - Key distriburtion Center
principles - users, applications
TGS - Ticket Granting Service
TGT - Ticket Granting Ticket
Single Sign-On Technologies
Kerberos - Authentication Protocol that uses KDC (key distribution center) and tickets, and is based on symmectric key encryption
Sesame - Authentication Protocal that uses PAS(Privileged Attribute Server) and PAC (Privilege Attribute Certificates)s, and is based on asymmectric and symmectric cryptography
Security Domains - resources working under the same security policy and managed by the same group
Directory Services - network directory service provides information about network resources
Dumb Terminals - Thin client - terminals that rely on a central server for access control, processing, and storage
Discrentionary Access Control
Enables owner of the resource to specify which subjects can can access specific resources
Access control is at the discretion of the owner.
Mandatory Access Control
Access control is based on a security labeling system.
Users have security clearances and resources have security labels that contain data classifications.
This model is used in environments where information classification and confidentiality is very important (e.g., the military).
Non-Discretionary (Role Based) Access Control Models (RBAC)
Role Based Access Control (RBAC) uses a centrally administered set of controls to determine how subjects and objects interact.
Is the best system for an organization that has high turnover.
Access Controls Techniques
Rule Based Access Control- Restricts user access attempts by predefined rules
Constrained User Interfaces (ristricted interface) - limites user environment within the system - reduces access to objects
Access Control Matrix - table of subjects and objects which outlines their access relationships (Bound to object)
Content Dependent Access Control - Bases access decisciions depending on sensitivity of data, and not subject identity
Context Dependent Access Control - Bases access decisions depending on the state of the situation and not solely on identity or content sensitivity
Capability Table - Bound to a subject and indicates what objects that subject can access (bound to subject)
ACL - bound to an object and indicates what subject can access it
Centralized Access Control
Radius (UDP) - only encrypts the password, Authentication and authorization services are combined, single challange response,
TACACs (TCP) - all traffic is encrypted, AAA support (Authentication, authorizaiton, and auditing are seperate),
Diameter - learn later if applicable - Based on Radius but better
Decentralized Access Control Administration
Gives control of access to the people who are closer to the resources
Has no methods for consistent control, lacks proper consistency.
Administrative Access Controls
Policy and Procedure
Separation of Duties
Rotation of Duties
Security Awareness Training
Work Area Separation
Technical (Logical) Controls
Encryption and protocols
Access Control Functionalities
Preventative Access Controls
Preventative Administrative Controls
Includes policies, hiring practices, security awareness
Preventative Physical Controls
Includes badges, swipe cards, guards, fences
Preventative Technical ControlsIncludes passwords, encryption, antivirus software
Accountability is tracked by recording user, system, and application activities.
Audit information must be reviewed
Event Oriented Audit Review
Real Time and Near Real Time Review
Audit Reduction Tools
Variance Detection Tools
Attack Signature Tools
Access control Best practices
Deny access to anonymous accounts
Enforce strict access criteria
Suspend inactive accounts
Replace default passwords
Enforce password rotation
Audit and review
Protect audit logs
Unauthorized Disclosure of Information
Object Reuse - data stored on device or memory
Tempest - DOD - typically for military purposes
White Noise - emits white noise so that the data cannot be deciphered
Control Zone - create barrier on ceiling and walls so that data cannot be deciphered
Intrusion Detection - Network vs. host
Network based - monitors network traffic in promiscuous mode
host based - installed on machine and monitors activity on the server
HIDS and NIDS can be:
Signature Based - pattern matching, stateful matching
Anomoly Based - Statistical Anomaly Based, Protocol Anomaly Based, Traffic Anomaly Based
Rule Based - expert system - with knowledge base, inference engine, rule-based programming
Intrusion Prevention System - Detect activity and not allow access to resource
Intrusion Detection - Compnents
Three Common Components:
Security Threats to Access Control
Countermeasures include strong password policies, strong authentication, intrusion detection and prevention
Brute Force Attacks
Countermeasures include penetration testing, minimum necessary information provided, monitoring, intrusion detection, clipping levels
Spoofing at Logon
Countermeasures include a guaranteed trusted path, security awareness to be aware of phishing scams, SSL connection