Exam Essentials: Chapter 14

Chapter 14: Controlling & Monitoring Access

Authorisation ensures that the requested activity or object access is possible, given the privileges assigned to the authenticated activity.
For example, it ensures that users with appropriate privileges can access files & other resources.
Common authorisation mechanisms include:
- implicit deny
- access control lists
- access control matrixes
- capability tables
- constrained interfaces
- content-dependent controls
- context-dependent controls
These mechanisms enforce security principles, need-to-know and separation of duties.

With Discretionary Access Control (DAC) models, all objects have owners, and the owners can modify permissions.
Administrators centrally manage non-discretionary controls.
Role-Based Access Control (RBAC) models use task-based roles; users gain privileges when administrators place their accounts into a role.
Rule-based access control models use a set of rules, restrictions or filters to determine access.
The Mandatory Access Control (MAC) model uses labels to identify security domains. Subject need matching labels to access objects

Risk is the possibility or likelihood that a threat can exploit a vulnerability and cause damage to assets.
Asset valuation identifies the value of assets.
Threat modelling identifies threats against those assets.
Vulnerability analysis identifies weaknesses in an organisation’s valuable assets.
Access aggregation is a type of attack that combines (or aggregates) non-sensitive information to learn sensitive information, and is used in reconnaissance attacks.

Brute-force and dictionary attacks are carried out against a stolen password database file or the logon prompt of a system. They are designed to discover passwords.
In brute-force attacks, all possible combinations of keyboard characters are used, whereas a predefined list of possible passwords is used in a dictionary attack.
Account lockout controls prevent their effectiveness against online attacks.

Strong passwords make password-cracking utilities less successful.
Strong passwords include multiple character types and are not words contained in a dictionary.
Password policies ensure that users create strong passwords.
Passwords should be encrypted when stored, and encrypted when sent over a network.
Authentication can be strengthened by using an additional factor beyond just passwords.

Salts add additional bits to a password before hashing it, and help thwart rainbow table attacks.
Some algorithms, such as bcrypt and PBKDF2 (Password-Based Key Derivation Function 2) add the salt and repeat the hashing functions many times.
Salts are stored in the same DB as the hashed password.
A pepper is a large constant number used to further increase the security of the hashed password, and it is stored somewhere outside the database holding the hashed passwords.

In a sniffer (or snooping) attack, an attacker uses a packet-capturing tool (such as a sniffer or protocol analyser) to capture, analyse and read data sent over a network.
Attackers can easily read data sent over a network in cleartext, but encrypting data in transit thwarts this type of attack.

Spoofing is pretending to be something or someone else, and it is used in many types of attacks, including access control attacks.
Attackers often try to obtain the credentials of users so they can spoof the user’s identity. Spoofing attacks include email spoofing, phone number spoofing and IP spoofing.
Many phishing attacks use spoofing methods.

A social engineering attack is an attempt by an attacker to convince someone to provide information (such as a password) or perform an action they wouldn’t normally perform (such as clicking on a malicious link), resulting in a security compromise.
Social engineers often try to gain access to the IT infrastructure or the physical facility.
User education is an effective tool to prevent the success of social engineering attacks.

Phishing attacks are commonly used to try to trick users into giving up personal information (such as user accounts & passwords), click a malicious link, or open a malicious attachment.
Spear phishing target specific groups of users, and whaling targets high-level executives.
Vishing uses VoIP techologies.