Domain 2: Access Controls

Asynchronous Tokens

A one-time password generated without the use of a clock, either from a one-time pad or cryptographic algorithm. Also called a time-based one-time password (TOTP) token.

Attribute-Based Access Control (ABAC)

This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.

Authorization

The right or permission that is granted to a system entity to access a system resource. Source: NIST SP 800-82

Connected Tokens

Must be physically connected to the computer with which the user is authenticating.

Contactless Tokens

Form a logical connection to the client computer but do not require a physical connection.

Crossover Error Rate

This is the point at which the false acceptance (or Type II) error rate equals the false rejection (Type I) error rate, for a given sensor used in each system and context. This is only the optimal point to operate at if the potential impacts of both types of errors are equivalent.

Disconnected Tokens

Have neither a physical nor logical connection to the client computer.

Discretionary Access Control (DAC)

The system owner decides who gets access.

Entitlement

A set of rules, defined by the resource owner, for managing access to a resource (asset, service or entity) and for what purpose.

Entity

Any form of user, such as a hardware device, software daemon, task, processing thread or human, which is attempting to use or access systems resources. Endpoint devices, for example, are entities that human (or nonhuman) users make use of in accessing a system. Should be subject to access control and accounting.

False Accept Rate (Type II)

Incorrectly identifying an unauthorized entity as valid.

False Reject Rate (Type I)

Incorrectly identifying an authorized entity as invalid.

Identity Management

The many different functions or activities used by an organization to validate, control, update, and establish access permissions for identities associated with an entity which seeks to have an association or relationship with an organization. This may include identity proofing, generation of user identities within the organization's access control system, granting and updating access control permissions, and updating those identities and permissions throughout the duration of that entity's association with the organization.

Identity-Proofing

Services that verify people's identities before the enterprise issues them accounts and credentials. The steps involved are resolution, validation, and verification (NIST SP 800-63A).

Machine-in-the-Middle (MITM)

Using a machine (or software entity) acting as an unauthorized intermediary between two intercommunicating parties. The attacker intercepts messages from each party, copies or modifies them to suit their own purpose, and then passes them on to the other party, impersonating the original sender in the process. Originally called the man-in-the-middle attack technique, based on its long history in human intelligence and surveillance activities, it's been belatedly recognized that the vast majority of these attacks are actually carried out by machines or software entities being directed by a human attacker; changing what we call this attack focuses our attention on pursuing better use of entity-associated indicators as possible ways to detect and defend against MITMs.

Mandatory Access Control (MAC)

A means of restricting access to objects based on the sensitivity (as represented by a security label) of the information contained in the objects and the formal authorization (i.e., clearance, formal access approvals, and need-to-know) of subjects to access information of such sensitivity. Mandatory access control is a type of nondiscretionary access control. Source: NIST 800-53 Rev 4

Object

1.Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject. Source: NIST SP 800-53 Rev 4 2.In access control: A passive entity that typically receives or contains some form of data.

Pwned

(Pronounced "pawned") A widely used bit of security jargon referring to a name, email address or identity that has had its ownership taken over (or owned) by another entity. This is an example of "leetspeak," in parodies the use of adjacent keys on the keyboard to re-spell words in passwords or passphrases, which often leads to loss of control of the asset in question.

Role-based Access Control (RBAC)

Restricting access to data based upon an entity's role or function, essentially the permissions.

Rule-based Access Control (RuBAC)

Restricting access based upon a set of rules, which are usually defined by the systems administrator. Stored in the ACL when access is attempted the rules are applied.

Single Sign-On (SSO)

An authentication mechanism that allows a single identity to be shared across multiple applications.

Smart Cards

A credit sized card (usually) that contains embedded circuitry. Contact cards have a visible chip whereas contactless have an embedded antenna. Used to provide strong authentication in an SSO environment.

Static Token

(1) A password or other value that remains constant through multiple login or authentications, until changed by the user or system. (2) The device contains a password that is physically hidden (not visible to the possessor) but that is transmitted for each authentication.

Subject

1.Generally an individual, process or device causing information to flow among objects or change to the system state. Source: NIST SP800-53 R4 2.An active entity and can be any user, program or process that requests permission to cause data to flow from an access control object to the access control subject or between access control objects.

Synchronous

Each encryption or decryption request is performed immediately.

Synchronous Token

A timer is used to rotate through various combinations produced by a cryptographic algorithm.

Trust Path

A series of trust relationships that authentication requests must follow between domains.

Trusted Computing Base (TCB)

The collection of all of the hardware, software, and firmware within a computer system that contains all elements of the system responsible for supporting the security policy and the isolation of objects.

Trusted Path

(1) A communications channel provided by the trusted computing base in a system, which enforces security policies as required to protect direct access to highly sensitive assets such as device hardware interfaces. (2) More generally, a data or control signal path through an architecture that meets or exceeds the security requirements for protecting both the data moving across the path and the systems at each end of that path.

Trusted Shell

A communications channel provided by the trusted computing base in a system, which enforces security policies as required to protect activity within the shell and restrict activity from an untrusted party or entity.

Zero Trust Model

Exploits that target a vulnerability previously unknown to the systems' builders, vendors, users or other security researchers. The name connotes a surprise attack, since the exploit would not (in general) fit any recognized patterns, signatures or methods.