Information Security: CIA Triad and Access Control

Questions and Answers

In the context of the CIA Triad, what is the primary goal of ensuring 'availability'?

• Guaranteeing the confidentiality of communications between parties.
• Ensuring that authorized users have timely and reliable access to resources. (correct)
• Preventing unauthorized disclosure of sensitive information.
• Maintaining the accuracy and completeness of data.

An organization implements biometric scanning for building access. Which aspect of the CIA Triad is primarily strengthened by this measure?

• All aspects of the CIA Triad are equally strengthened.
• Confidentiality, by restricting physical access to authorized personnel. (correct)
• Availability, by ensuring uninterrupted access to authorized employees.
• Integrity, by logging entries and exits of each person.

Which access control type focuses on returning systems to a normal operational state after a security incident?

• Corrective access control
• Recovery access control (correct)
• Preventive access control
• Detective access control

A company decides to implement security cameras and alarm systems. This is an example of which type of access control?

Deterrent (D)

In a layered security model, what is the primary advantage of deploying multiple types of access controls?

It ensures that a failure in one access control is compensated by others, enhancing overall security. (B)

What is the key difference between 'identification' and 'authentication' in the process of accountability?

Identification confirms a user's claimed identity, while authentication verifies the user's identity. (C)

Which type of authentication factor is inherently the most resistant to remote attacks involving compromised credentials?

Something you are (e.g., fingerprint). (C)

When auditing user activity, what is the primary purpose of comparing audit trails with authorization records?

To determine if user actions align with their granted access rights and organizational policies. (A)

Why is using one-way encryption for password storage crucial for password security?

It prevents attackers from directly obtaining plaintext passwords from database breaches. (C)

Which approach is most effective in defending against both brute-force and dictionary attacks on passwords?

Implementing multi-factor authentication. (D)

How does disabling idle user accounts for short periods enhance security?

It reduces the risk of unauthorized access through unattended, logged-in sessions. (B)

What is the significance of the 'crossover error rate' (CER) in biometrics?

It represents the overall accuracy of the biometric system, where FAR and FRR are equal. (A)

Which type of token is most vulnerable to interception and replay attacks if not properly secured?

Static tokens (C)

In the Kerberos authentication process, what is the primary function of the Ticket Granting Ticket (TGT)?

To grant access to multiple services without requiring repeated authentication. (A)

A Kerberos client is unable to access a network service, despite successfully authenticating with the KDC. What is the most likely cause?

All of the above. (D)

What is a primary limitation of Kerberos in modern network environments?

Its reliance on a constantly available and trusted Key Distribution Center (KDC). (A)

Which of the following is a key characteristic that distinguishes discretionary access control (DAC) from mandatory access control (MAC)?

DAC allows data owners to grant or deny access to resources, while MAC relies on system-wide policies enforced by the operating system. (A)

In a mandatory access control (MAC) system, what is the primary purpose of security labels?

To assign security levels to both subjects (users) and objects (resources) to control access. (D)

Why is a 'hybrid environment' considered a complex implementation of mandatory access control (MAC)?

Because it integrates multiple MAC models and discretionary access control (DAC), leading to intricate policy configurations. (C)

When transitioning from role-based access control (RBAC) to task-based access control, what is the most significant shift in access permission assignment?

From assigning permissions based on job function to assigning permissions based on specific duties. (A)

How does centralized access control simplify security management compared to decentralized models?

By consolidating access control policies and enforcement mechanisms in a single system, ensuring consistency and easier auditing. (C)

What is the key distinction between Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+)?

RADIUS combines authentication and authorization into a single process, while TACACS+ separates these functions. (A)

In account administration, what is the primary goal of implementing the principle of least privilege?

To minimize the potential damage from insider threats and malware by limiting users' access rights. (B)

What is the main objective of 'Separation of Duties' in account administration?

To prevent fraud, errors, and conflicts of interest by dividing critical tasks among multiple individuals. (C)

When should 'Need-to-Know' access be enforced in an organization?

For any access to sensitive or confidential data, regardless of the user's role or clearance. (B)

Flashcards

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity

Availability

Ensuring timely and reliable access to and use of information.

Preventive access control

Controls that attempt to prevent incidents from occurring.

Deterrent access control

Controls that discourage individuals from causing an incident.

Detective access control

Controls that are intended to find unwanted events that have occurred.

Recovery access control

Controls that are used to bring systems back to their original state.

Compensation access control

Controls that are used to provide alternative compensations.

Directive access control

Controls that provide direction or guidance to security.

Type 1 Authentication

Authentication factor based on something you know, like a password or PIN.

Type 2 Authentication

Authentication factor based on something you have, like a smart card or token.

Type 3 Authentication

Authentication factor based on something you are, like a fingerprint or iris scan.

Auditing

Process of tracking and recording online activities of user accounts and processes.

Network traffic analysis (sniffing)

Analyzing network traffic to intercept sensitive information such as passwords.

Brute-force attack

A method of password cracking that tries every possible password combination.

Dictionary attack

A method of password cracking that uses a list of common passwords.

Password Encryption

Use the strongest form of one - way encryption available for password storage.

Biometrics

Authentication methods that use unique physical characteristics for verification.

Tokens

A type of authentication using hardware or software devices that generate security codes.

Kerberos

An authentication protocol that provides single sign-on capability.

Discretionary Access Control

Access control determined by the owner of the resource.

Nondiscretionary Access Control

Access control not determined by the owner, but by security policies.

Mandatory Access Control

Strict access control based on security labels.

Role-Based Access Control

Access based on the roles users have within the organization.

Task-Based Access Control

Access based on specific tasks a user needs to perform.

Study Notes

• Information security is the practice of protecting information assets.

CIA Triad

• The CIA triad consists of confidentiality, integrity, and availability.
• Confidentiality ensures that information is accessible only to authorized users.
• Integrity maintains the accuracy and completeness of information.
• Availability ensures that authorized users have reliable access to information and resources.

Types of Access Control

• Preventive access control aims to prevent security incidents from occuring.
• Deterrent access controls discourage individuals from attempting to violate security policies.
• Detective access control identifies and records security breaches or incidents that do occur.
• Corrective access control mitigates the impact of security incidents or breaches.
• Recovery access control restores systems and data after a security incident.
• Compensation access controls provide alternatives when primary controls fail.
• Directive access control provides mandatory rules or polices
• Administrative access controls are the policies and procedures for managing user access and permissions.
• Logical/technical access controls are hardware and software mechanisms used to manage access control.
• Physical access controls are tangible security measures like locks, fences, and security guards.

Access Control in a Layered Environment

• Layered security, also known as defense in depth, involves the deployment of multiple access control layers.

The Process of Accountability

• Identification is the process of uniquely identifying a user or entity.
• Authentication verifies the identity of a user or entity.
• Type 1 authentication factor is something you know, such as a password.
• Type 2 authentication factor is something you have, such as a smart card.
• Type 3 authentication factor is something you are, commonly biometrics.
• Multi factor authentication uses two or more authentication factors
• Authorization determines what actions, resources, or data an authenticated user can access.

Auditing and Accountability

• Auditing tracks and records online activities of user accounts and processes.
• Audit trails compared with authorization against authenticated accounts ensure accountability.

Identification and Authentication Techniques

• Passwords can be static or dynamic.
• Static passwords remain constant until changed by the user.
• Dynamic passwords change periodically or with each use.

Password Security

• One-way encryption is the strongest method for password storage.
• Passwords should not be transmitted in clear text or with weak encryption.
• Password verification and cracking tools should be used to identify weak passwords.
• Idle user accounts should be disabled after short periods of inactivity.
• Users should be required to change passwords regularly.
• Passwords should not be displayed in clear form on any screen.
• Longer passwords, 16+ characters are better.
• A list of passwords to avoid should be made available to users.

Biometrics

• Common biometric methods include fingerprints, face scans, retina scans, iris scans, palm scans, hand geometry, heart/pulse patterns, voice recognition, and signature dynamics.

Tokens

• Static tokens are fixed and do not change.
• Synchronous dynamic password tokens generate time-based passwords.
• Asynchronous dynamic password tokens require a challenge and response.
• Challenge-response tokens require users to respond to a challenge from the system.

Tickets

• Single Sign-On (SSO) allows users to access multiple applications with one set of credentials.

Kerberos

• Kerberos is a SSO protocol
• In the Kerberos logon process, a user types a username and password into the client.
• The client encrypts these credentials with AES for transmission to the Key Distribution Center (KDC).
• The KDC verifies the user credentials and generates a Ticket Granting Ticket (TGT) by hashing the user's password.
• The TGT is encrypted with AES and sent to the client.
• The client installs the TGT for use until it expires.

Kerberos Server Access

• The client sends the TGT back to the KDC with a request for server access.
• The KDC verifies the TGT and ensures the user has access privileges.
• A service ticket (ST) is generated and sent to the client.
• The client sends the ST to the server or service host.
• The server/host verifies the ST validity with the KDC.
• Identity and authorization are verified so Kerberos activity is complete.
• The server opens a session and begins communications with the client.

Limitations of Kerberos

• Kerberos is susceptible to dictionary and brute-force attacks.
• Tickets are stored in memory on the client and server
• Captured tickets can be replayed if reused within their lifetime.
• Tickets are based on user's password hash with a timestamp.
• Kerberos only encrypts authentication traffic.

Other Ticket Systems

• Other ticket systems include SESAME (Secure European System for Applications in a Multivendor Environment), KryptoKnight(IBM), NetSP, and Thin clients(ex. DameWare).
• Directory services such as Microsoft’s Active Directory and Novell’s NetWare Directory Services (NDS) are also used.
• Scripted access or logon scripts can control access.

Access Control Techniques

• Discretionary access control allows data owners to grant or deny access to resources.
• Nondiscretionary access control implements access restrictions based on predefined rules.
• Mandatory access control assigns security labels/classifications to resources.
• Role-based access control grants access based on a user's role within an organization.
• Task-based access control grants access based on the tasks a user needs to perform.

Mandatory Access Controls

• Common security labels include top secret, secret, confidential, sensitive but unclassified (SBU), and unclassified.

Mandatory Access Control Types

• Hierarchical environments have a clear chain of command and access levels.
• Compartmentalized environments segregate information into isolated compartments.
• Hybrid environments combine aspects of hierarchical and compartmentalized models.

Access Control Methodologies and Implementation

• Centralized access control uses a central server to authenticate and authorize users.
• Remote Authentication Dial-In User Service (RADIUS) provides centralized authentication.
• Terminal Access Controller Access Control System (TACACS) is similar to RADIUS for network access control.
• Decentralized access control distributes access management functions across multiple systems.

Account Administration

• Account administration tasks include creating new accounts, account maintenance, monitoring of logs and journals, managing access rights and permissions, and implementing the principle of least privilege.
• Need-to-know access limits access to only the information required for a specific job.
• Separation of duties divides responsibilities to prevent fraud and errors.