Name the 6 control types.
- Preventive--for reducing risk
- Detective--for identifying violations and incidents
- Corrective--for remedying violations & incidents
- Deterrent--for discouraging violations
- Recovery--for restoring systems and information
- Compensating--for providing alternative ways of achieving a task
Define subject and object.
- A subject is an active entity that accesses or acts on an object.
- An object is a passive entity that a subject acts upon or accesses.
Name the 3 types of access controls.
Name some preventive technical controls.
- Encryption--DES, AES, and Merkle-Hellman Knapsack
- Access control mechanisms--Biometrics, smart cards, and tokens
- Access control list--Permission list that define what a subject can or cannot do to an object
- Remote access authentication protocols--PAP, CHAP, RADIUS, and LDAP
Name some detective technical controls.
- Violation reports
- Audit trials
- Network monitoring and intrusion detection
Name some preventive physical controls.
- Security perimeters, such as fences, locked doors, and restricted areas
- Guards and dogs
Name some detective physical controls.
- Motion detectors
- Video cameras
Authentication determines weather a subject can log in.
- Identification is the act of claiming a specific identity.
- Authentication is the act of verifying that identity.
Authorization determines what a subject can do (as defined by assigned rights and permissions).
Accountability determines what the subject did.
Name the 2 categories of access controls.
- System access controls--protect the entire system and provide the first line of defense for the data contained on the system
- Data access controls--protect the data contained on the system.
Name the 3 factors on which authentication can be based.
- Something you know--passwords or PINs
- Something you have--smart cards or tokens
- Something you are--fingerprint, voice, retina, or iris characteristics
Passwords/password problems include:
- They tend to be insecure.
- They are easily broken.
- They can be inconvenient.
- They are refutable.
What policies should an organization have in place concerning passwords?
- Password length
- Password complexity
- Password age and a minimum age
- Password history
- Limit unsuccessful login attempts.
- Set a lockout duration
- Limit time which a user can login
- System messages including login banners that give legal warnings and note the last successful login. Last username should be disabled.
Necessary factors for an effective biometric access control system include:
- Accuracy--CER < 10%
- Speed and throughput-- ~5 seconds with a throughput of 6-10 per minute
- Data storage requirements
Define FRR (type I error)
The False Reject Rate is the percentage at which authorized users are incorrectly denied access.
Define FAR (type II error)
The False Accept Rate is the percentage at which unauthorized users are granted access.
The Crossover Error Rate is the point at which the FRR equals the FAR as stated as a percentage.
Common physiological biometric systems include:
- Fingerprint recognition and finger scan systems
- Hand geometry systems
- Retina pattern
- Iris pattern
Name three types of tokens.
- Static password tokens--static passwords or certificates
- Synchronous dynamic password tokens--a password that changes based on a time interval or an event
- Asynchronous dynamic password tokens--a password that is calculated in response to a system-generated random challenge string