Tips on Access Control
- Access is a flow of information between a subject and an object.
- A subject is an active entity that requests access to an object, which is a passive entity.
- A subject can be a user, program, or process.
- Some security mechanisms that provide confidentiality are encryption, logical and physical access control, transmission protocols, database views, and controlled traffic flow.
- Identity management solutions include directories, web access management, password management, legacy single sign-on, account management, and profile update.
- Password synchronization reduces the complexity of keeping up with different passwords for different systems.
- Self-service password reset reduces help-desk call volumes by allowing users to reset their own passwords.
- Assisted password reset reduces the resolution process for password issues for the help-desk department.
- IdM directories contain all resource information, users’ attributes, authorization profiles, roles, and possibly access control policies so other IdM applications have one centralized resource from which to gather this information.
- An automated workflow component is common in account management products that provide IdM solutions.
- User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes, as they exist in one or more systems, directories, or applications.
- The HR database is usually considered the authoritative source for user identities because that is where it is first developed and properly maintained.
- There are three main access control models: discretionary, mandatory, and role-based.
- Discretionary access control (DAC) enables data owners to dictate what subjects have access to the files and resources they own.
- The mandatory access control (MAC) model uses a security label system. Users have clearances, and resources have security labels that contain data classifications. MAC systems compare these two attributes to determine access control capabilities.
- Role-based access control is based on the user’s role and responsibilities (tasks) within the company.
- Three main types of restricted interface measurements exist: menus and shells, database views, and physically constrained interfaces.
- Access control lists are bound to objects and indicate what subjects can use them.
- A capability table is bound to a subject and lists what objects it can access.
- Access control can be administered in two main ways: centralized and decentralized.
- Some examples of centralized administration access control technologies are RADIUS, TACACS+, and Diameter.
- A decentralized administration example is a peer-to-peer working group.
- Examples of administrative controls are a security policy, personnel controls, supervisory structure, security-awareness training, and testing.
- Examples of physical controls are network segregation, perimeter security, computer controls, work area separation, and cable.
- Examples of technical controls are system access, network architecture, network access, encryption and protocols, and auditing.
- For a subject to be able to access a resource, it must be identified, authenticated, and authorized, and should be held accountable for its actions.
- Authentication can be accomplished by biometrics, a password, a passphrase, a cognitive password, a one-time password, or a token.
- A Type I error in biometrics means the system rejected an authorized individual, and a Type II error means an imposter was authenticated.
- A memory card cannot process information, but a smart card can through the use of integrated circuits and processors.
- Least-privilege and need-to-know principles limit users’ rights to only what is needed to perform tasks of their job.
- Single sign-on capabilities can be accomplished through Kerberos, SESAME, domains, and thin clients.
- The Kerberos user receives a ticket granting ticket (TGT), which allows him to request access to resources through the ticket granting service (TGS). The TGS generates a new ticket with the session keys.
- Types of access control attacks include denial of service, spoofing, dictionary, brute force, and war dialing.
- Keystroke monitoring is a type of auditing that tracks each keystroke made by a user.
- Object reuse can unintentionally disclose information by assigning media to a subject before it is properly erased.
- Just removing pointers to files (deleting file, formatting hard drive) is not always enough protection for proper object reuse.
- Information can be obtained via electrical signals in airwaves. The ways to combat this type of intrusion are TEMPEST, white noise, and control zones.
- User authentication is accomplished by what someone knows, is, or has.
- One-time password-generating token devices can use synchronous (time, event) or asynchronous (challenge-based) methods.
- Strong authentication requires two of the three user authentication attributes (what someone knows, is, or has).
- The following are weaknesses of Kerberos: the KDC is a single point of failure; it is susceptible to password guessing; session and secret keys are locally stored; KDC needs to always be available; and there must be management of secret keys.
- Phishing is a type of social engineering with the goal of obtaining personal information, credentials, credit card numbers, or financial data.
- A race condition is possible when two or more processes use a shared resource and the access steps could take place out of sequence
- Mutual authentication is when two entities must authenticate to each other before sending data back and forth. Also referred to as two-way authentication.
- A directory service is a software component that stores, organizes, and provides access to resources, which are listed in a directory (listing) of resources. Individual resources are assigned names within a namespace.
- A cookie is data that are held permanently on a hard drive in the format of a text file or held temporarily in memory. It can be used to store browsing habits, authentication data, or protocol state information.
- A federated identity is a portable identity, and its associated entitlements, that can be used across business boundaries without the need to synchronize or consolidate directory information.
- Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form to allow for interoperability between various web- based technologies.
- Service Provisioning Markup Language (SPML) is an XML-based framework, being developed by OASIS, for exchanging user, resource, and service provisioning information between cooperating organizations.
- eXtensible Access Control Markup Language (XACML) a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies.
- Replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated with the goal of obtaining unauthorized access.
- Clipping level is a threshold value. Once a threshold value is passed, the activity is considered to be an event that is logged, investigated, or both.
- Rainbow table is a set of precomputed hash values that represent password combinations. These are used in password attack processes and usually produce results more quickly than dictionary or brute force attacks.
- Cognitive passwords are fact- or opinion-based information used to verify an individual’s identity.
- Smart cards can require physical interaction with a reader (contact) or no physical interaction with the reader (contactless architectures). Two contactless architectures are combi (one chip) and hybrid (two chips).
- A side channel attack is carried out by gathering data pertaining to how something works and using that data to attack it or crack it, as in differential power analysis or electromagnetic analysis.
- Authorization creep takes place when a user gains too much access rights and permissions over time.
- SESAME is a single sign-on technology developed to address issues in Kerberos. It is based upon public key cryptography (asymmetric) and uses privileged attribute servers and certificates.
- Security information and event management implements data mining and analysis functionality to be carried out on centralized logs for situational awareness capabilities.
- Intrusion detection systems are either host or network based and provide behavioral (statistical) or signature (knowledge) types of functionality.
- Phishing is a type of social engineering attack. If it is crafted for a specific individual, it is called spear-phishing. If a DNS server is poisoned and points users to a malicious website, this is referred to as pharming.
- A web portal is commonly made up of portlets, which are pluggable user interface software components that present information and services from other systems.
- The Service Provisioning Markup Language (SPML) allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems.
- The Security Assertion Markup Language (SAML) allows for the exchange of authentication and authorization data to be shared between security domains.
- The Simple Object Access Protocol (SOAP) is a protocol specification for exchanging structured information in the implementation of web services and networked environments.
- Service oriented architecture (SOA) environments allow for a suite of interoperable services to be used within multiple, separate systems from several business domains.
- Radio-frequency identification (RFID) is a technology that provides data communication through the use of radio waves.
- Threat modeling identifies potential threats and attack vectors. Vulnerability analysis identifies weaknesses and lack of countermeasures.