CISSP (ElementK) Information Systems Access Control Flashcards

Access Control Types
Terms Definitions
CIA Triad
Confidentiality Integrity Availability
Confidentiality
keeping information/communications private and protecting from unauthroized access.
Integrity
keeping organization information accurate, w/o error, & unauthorized modification
Availability
ensuring systems operate continuously and authorized persons can access data they need to
Access Control
principle for determining & assigning privileges to various resources, objects, & data
Reference Monitor
component of some types on access control systems that determines if subject can access the object
Reference Monitor Characteristics (three)
1. Tamper proof2. Always invoked3. Compact & Verifiable
Least Privilege
principle that limits the need to know certain informaiton
Need to Know
principle based on individual's need to access classified data resources to perform a given task or job function
Seperation of Duties (SoD)
division of tasks between different people to complete a business process or work function
Access Control Types (4)
1. Identification & Authentication (I&A)2. Authorization3. Audit4. Accountability
I&A
Identification & Authentication: unique identifier for a user & method(s) to ensure the identity of the user
Authorization
determines capabilities/rights of subject when accessing object
Audit
creates log/record of activities on system
Accountability
reports/reviews contents of log files. subject NOTE: IDfier must be UNIQUE to relate to activities to one subject
Access Control Services Implementation (5 steps)
1. ID the individual/entity attempting to access an object.2. Verify/Authenticate indiv. ID3. Evaluate rules to see indiv's access4. Create audit trail (access attempt & function performed)5. Review log: see who/when accessed (done by managers)
Access Control Categories (6 total: 3 suffcient, 3 additional)
Sufficient: preventive, detective, corrective.Additional: deterrent,recovery, compensating
Preventive
stops unauthorized access to object.iie. CAC/BIOMETRICS
Detective
processes ID attempts to access entity w/o proper authorization. (alerts admins of attempted security violation)iie. IDS
Corrective
responds to security violations to reduce/completely eliminate impact.iie. IPS
Deterrent
discourages individuals from violating security policiesiie. policy that threatens termination, or imposes fine if security breached
Recovery
used to return system to operational state after CIA triad violation.iie. backup tape, offsite journaling
Access Control Types (3)
AdministrativePhysicalTechnical
Administrative
AC Type that controls broad area of security.includes personnel security, monitoring, user/pw management, permissions, etc.
Physical
AC Type used to limit physical access to protected information/facilities.iie. locks, doors, fences, etc.
Technical
AC Type implemented in computing environment (OS, Applications, DB, Firewall)iie. account lockout after 3 failed log on attempts
Access Control Matrix
table displaying subjects' access/permissions to an object (r w x o)
Discretionary Access Control (DAC)
restricting access to objects based on ID of subjects/groupsiie. admin privileges, user privileges
Access Control List
(DAC) list of permissions associated w/each object, specifies which subjects/groups can access, & levels if access. more practical than ACM w/larger # of objects
Mandatory Access Control (MAC)
restricting access to objectes based on sensitivity of information in objectTOP SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED
Non-Discretionary Access Techniques (5)
Role based Access Control (RBAC)Rule-basedContent dependentContstrained IFTime-based
Role based Access Control (RBAC)
based on role/job performed by subjectGroups: Admin, user, nurse, etc
Rule-based
based on operational rules/restrictionsconditional format, like FW rules
Content dependent
limits based on subject's access based on content dataMORE OVERHEAD due to data analysis of contents
Contstrained IF
limits access by limiting interfaceATM only gives user limited information because can only interface using #pad, and limited options to manage account
Time-based
limits access based on time of dayonly acess during certain hours (8am to 5pm)
ID Types (2)
ID CardUser ID
Authentication Types (3)
Something you . . .KNOW - PW/PINHAVE - CAC CARD, TOKENARE - BIOMETRICS
Something You KNOW
PW, PIN, Passphrase
Something You HAVE
Magnetic Striped Cards, Proxmity Cards, Smart Cards, token devicesusually require PINTOKEN: PIN displayed on device that user will be prompted to enter onto system as well as his/her personal PIN
Something You ARE
BIOMETRICS:fingerprinthandprinthand geometryiris scan (colored eye pattern)retina scan (blood vessel pattern)voiceprintfacial recognitionsusceptible to FRR/Type I and FAR/Type II errors
False Rejection Rate
Type I error, when authorized user is denied access
False Acceptance Rate
Type II error, when unauthorized user is granted access
Crossover Error Rate
CER: point which FRR & FAR intersect on graph
Strong/2 Factor Authentication
uses >1 type of authentication to access system/facility.CAC & PIN, fingerprint & PIN
Single Sign On (SSO) & 3 types of SSO
single user ID & pw allow user to access all his/her applications.Kerebros (RFC 4120)SESAME (EUR)KryptoKnight (IBM)
Kerebros
Credentials > Authentication Server (AS)(from AS) Ticket Granting Ticket (TGT) > userTGT > Ticket Granting Server (TGS)Service Ticket (ST) > UserST > Application Server/System Resourcesusceptible to DoS attacks
Access Control Administration Methods (3)
Centralized (enterprise managed) RADIUS/TACACS/DIAMETERDe-Centralized (local managed)Hybrid (both, however which admins can updated which accounts, changes can be overriden by central over local, vice versa)
Risk
indicates chance of exposure to damage/loss
Access Control Methods (2)
SoftwareHuman
Software Based AC Attack (8)
DoSMalicious SWBrute ForceDictionary AttackSniffingEmanationObject ReuseTrap/BackdoorSpoofing
Human-based AC Attacks (6)
GuessingShoulder surfingDumpster DivingTheftSocial EngineeringSpoofing
DoS
targets network devices, bandwidth availability, servers, applications, workstations.limit/eliminate user's ability to access network/data.
Malicious SW
causes system failures or malfunctions (affects integrity & confidentiality)spyware, viruses, worms
Brute Force
PW attacks trying every possible combination to crack pw
Dictionary Attack
Using words from dictionary to crack pw
Sniffing
using special monitoring SW to gain access on network wire/wireless signalused to steal content of communication or information to help access later
Emanation
obtaining protected information via electrons over wire or radio using sophisticated monitoring devices
Object Reuse
reclaiming classified/sensitive info from media once thought to have been erased or overwrittendata remanence: data left n media during file erase/deletion process
Trap/backdoor
trapdoor: hidden entry point in a program or OS that bypasses ID/authentication.backdoor: SW attack, SW/Code used to create trapdoor aka backdoor. uses door to gain access.delivered via trojan horse/virus
Spoofing
attacker assumes IDIPMACDNS
Intrustion Detection Systems (IDS)
ID and addresses potential attacks on host or network (hosted based, versus network based)signature based: known patterns aka signaturesanomaly based: detects changes in normal behavior (needs to be learned)
IDS Modes (2)
Monitoring (alerts admints)Prevention (IPS, blocks automatically if detected)
IDS Categories (8)
NetworkHost-basedSignature-basedAnomaly-basedProtocol-based (PROXY)Application-protocol-based (Application & Proxy)Hybrid (2 or more IDS)Passive/Reactive (alert vs IPS method)
Penetration Test
Controlled use of attack methods to test securityperformed by internal or 3rd partyPROCESS:1. Reconnaissance: collecting information about target2. Enummeration: gaining more details from recon3. vulnerability analysis: using info from enummeration to determine vulnerabilities4. exploit vulnerabilities
Penetration Test Types (7)
Network Scan - using port scanner to enumerate applicationsSocial Engineering - get info to gain access to systemWar Dialing - using modem to dial #s to locate systems PBX, HVACWar Driving - locates/attempts to penetrate wireless systemsVulnerability scanning - exploit known weakness in OS/Apps (from Recon/Ennum)Blind testing - unknown test (RED TEAM) targeting testing - known test (Green Team)
/ 66
Term:
Definition:
Definition:

Leave a Comment ({[ getComments().length ]})

Comments ({[ getComments().length ]})

{[comment.username]}

{[ comment.comment ]}

View All {[ getComments().length ]} Comments
Ask a homework question - tutors are online