Disclamer

These are my personal notes and not a complete course

Introduction

Access Controls are to enforce that only people the data owner allows access to do the thinks the data owner allows them.

Primary Concerns

  • Who owns the data?
  • Who consumes/uses the data?
  • Who shouldn't have access to the data?

Security Concepts

  • Confidentiality
  • Integrity
  • Availability

Data control Terms

  • Subject A person / end user
  • Object The data a subject is accessing

Degrees of access control

  • Read-only Can see, but cannot edit the data
  • Contributor Can read, and also modify/add data

Operational Terms

  • Identification - Determine the identity of a subject
  • Authentication - Validate a subject's identity
  • Authorization - Validate their access against a directory
  • LDAP - Lightweight Directory Access Protocol - Generally used Directory service for authorization
  • x.500 - LDAP standard
  • Accountability - Ensuring that the access controls are applied
  • Race Condition - When processes try to carry out whatever activity they are set to perform in an incorrect order. e.g. Authorizing before authenticating
  • Cookie - Stored in a text file / Credential information stored for repeated use / Allows web sites to track a user session across multiple pages.
  • Single Sign On (SSO) Subject logs on one and can then access objects in different systems
  • User Provisioning Automatable livecycle management for accounts and permission assignments
  • Federated Identities Trust between systems to trust the authentication of another system
  • Markup Languages
  • Biometrics
    • Fingerprint
    • Palm scan
    • Hand geometry
    • Iris dcan
    • Signature dynamics
    • Voice Print
  • Password String of characters the subject remembers to authenticate
  • Rainbow Table Collection of (password) hash results
  • Clipping Level Threshold
  • Token Devices
    • Synchronus Time or counter based synchronisation
    • Asynchronus Challange / Response
  • Kerberos Authentication protocol used by active directory and invented by the MIT.
  •  NTP Network Time Protocol
  • Models for Access Control
    • Discretionary Access Control (DAC) Subject gains access through group membership
    • Mandatory Access Control (MAC) Owner of the data classifies the data hand mandates who has access to some class of data
    • Role Based Access Control (RBAC) Access control based on the role of the person. Like a backup operator.
    • Rule Based Access Control (RBAC) Like on a router. Access into the intranet is only possible if a system has established a connection from the inside.
    • Context Depended Access Control A Subject can for instance read data but can't copy it
  • User Interface Types
    • Menu-Based Inteface
    • Shell
    • Database-Viewer
  • Access Control Matrix Visual Matrix of the permissions subjects have on objects. Permission is the row. The subjects are the colums.
  • Access Control Systems
    • RADIUS Standard, non vendor specific authentication protocol. Encrypts only password
    • TACACS Same as above. Encrypts all traffic
    • Diameter Same as above and replay protection 
  • Keystroke Monitor Hardware or software device that is used to capture the keystrokes of a subject
  • Object reuse Remnant data on devices
  • Tempest Shielding Shielding from data leaked through electro magnetic emanation of devices
  • Sensitive Compartmented Information Facility (SCIF)
  • NIDS Network Intrusion Detection Systems
    •  Realtime traffic analysis
    • Monitor through upload to log server
    • Passiv Monitoring
  • HIDS/HIPS Host-based Intrusion Detection/Prevention System
    • Software agent on machine
    • Signature, Anomaly or Heuristics based
  • HIDS Host-based Intrusion Detection can only watch and send alerts
  • HIPS Host-based Intrusion Prevention System can stop attacks actively
  • Honeypot Hacking magnet, Decoy
  • Honeynet Honeypot Network
  • Network Sniffer is used to capture network traffic