Access Control Flashcards

1
Q

What data structure is used to implement discretionary access control?

a. Linked list
b. 2d matrix
c. Red and black tree
d. Stack

A

b. 2d matrix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is granting permission to a system entity to access a system resource?

a. Authentication
b. Authorization
c. Audit
d. Allowance
e. None of the above

A

b. Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What kind of relationship is a role to a user in role based access control?

a. 1 to 1
b. 1 to many
c. Many to one
d. Many to many

A

d. Many to many (a role can have many users, many users can have many roles review chapter 4, page 146 and chapter 27)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

T/F: Access control implements a security policy that verifies the credentials of a user

A

False (page 107)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which entities and functions form access control?

A

Authentication, Authorization, and Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define Authentication

A

Verification that the credentials of a user or other system entity are valid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define Authorization

A

The granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define Audit

A

An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy, and procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

This policy controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do. This policy is termed [ ] because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource.

a. Mandatory Access Control (MAC)
b. Attribute Based Access Control (ABAC)
c. Discretionary Access Control (DAC)
d. Role Based Access Control (RBAC)

A

c. Discretionary Access Control (DAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This policy controls access based on comparing security labels (which indicate how sensitive or critical system resources are) with security clearances (which indicate system entities are eligible to access certain resources). This policy is termed [ ] because an entity that has clearance to access a resources may not, just by its own volition, enable another entity to access that resource

a. Mandatory Access Control (MAC)
b. Attribute Based Access Control (ABAC)
c. Discretionary Access Control (DAC)
d. Role Based Access Control (RBAC)

A

a. Mandatory Access Control (MAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This policy controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.

a. Mandatory Access Control (MAC)
b. Attribute Based Access Control (ABAC)
c. Discretionary Access Control (DAC)
d. Role Based Access Control (RBAC)

A

d. Role Based Access Control (RBAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

This policy controls access based on attributes of the user, the resource to be accessed, and current environmental conditions

a. Mandatory Access Control (MAC)
b. Attribute Based Access Control (ABAC)
c. Discretionary Access Control (DAC)
d. Role Based Access Control (RBAC)

A

b. Attribute Based Access Control (ABAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is an entity capable of accessing objects. Generally, the concept of [ ] equates with that of process.

a. Subject
b. Object
c. Access Right
d. Access Matrix

A

a. Subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the three classes of subject have the least amount of access granted to users who are able to access the system but are not included in the categories owner and group for this resource

a. Owner
b. Group
c. World

A

c. World

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the three classes of subject may be the creator of a resource, such as a file? For system resources [ ] may belong to a system administrator. For project resources, a project administrator or leader may be assigned [ ].

a. Owner
b. Group
c. World

A

a. Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the three classes of subject is described as: a named group of users may also be granted access rights, such that membership in the group is sufficient to exercise these access rights.

a. Owner
b. Group
c. World

A

b. Group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following is a recourse to which access is controlled? A [ ] is an entity used to contain and/or receive information. Examples include records, blocks, pages, segments, files, portions of files, directories, directory trees, mailboxes, messages and programs.

a. Subject
b. Object
c. Access Right
d. Access Matrix

A

b. Object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following described the way in which a subject may access an object?

a. Access Matrix
b. Capability List
c. Capability Matrix
d. Access Right

A

d. Access Right

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

This access right allows a user to view information in a system or resource. It includes the ability to copy or print.

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

A

c. Read

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

This access right allows a user to list the files in a directory or otherwise find the directory.

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

A

a. Search

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

This access right allows a user to create new files, records, or fields

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

A

f. Create

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

This access right allows a user to add, modify, or delete data in a system resource. It includes read access.

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

A

d. Write

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

This access right allows a user to delete certain system resources such as files or records

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

A

e. Delete (duh)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

This access right allows a user to execute specified programs

a. Search
b. Execute
c. Read
d. Write
e. Delete
f. Create

A

b. Execute

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is the general approach to Discretionary Access Control (DAC) as exercised by an operating system or a database management system? a. Access Control List b. Access Matrix c. Capability Control Matrix d. Capability List
b. Access Matrix
26
What are the two dimensions of an access matrix?
One dimension of the matrix consists of identified subjects that may attempt data access to the resources (individual users or user groups) The other dimension lists the objects that may be accessed. Objects may be individual data fields or records, files or databases Key is that each entry in the matrix indicates the access rights of a particular subject for a particular object
27
Name and describe the two ways access control matrices can be decomposed
Access Control Lists (ACLs): for each object, an ACL lists users and their permitted access rights Capability Tickets: specifies authorized objects and operations for a particular user. Each user has a number of tickets and may be authorized to load or give them to others
28
The universe of objects can be extended in multiple ways. One way is through _____ which are: access rights include the ability to delete, stop/block, and wake these up. a. Processes b. Devices c. Memory Locations or Regions d. Subjects
a. Processes
29
The universe of objects can be extended in multiple ways. One way is through _____ which are: access rights include the ability to read/write, control operation of, and block/unblock these for use. a. Processes b. Devices c. Memory Locations or Regions d. Subjects
b. Devices
30
The universe of objects can be extended in multiple ways. One way is through _____ which are: access rights include the ability to read/write these. They are protected such that the default is to disallow access a. Processes b. Devices c. Memory Locations or Regions d. Subjects
c. Memory Locations or Regions
31
The universe of objects can be extended in multiple ways. One way is through _____ which are: access rights with respect to these have to do with the ability to grant or delete access rights of them to other objects a. Processes b. Devices c. Memory Locations or Regions d. Subjects
d. Subjects
32
Explain the meaning of inode in the UNIX file administration system
Is a control structure that contains the key information needed by the operating system for a particular file. Several file names may be associated with a single inode, but an active inode is associated with exactly one file, and each file is controlled by exactly one inode.
33
There are four entities in an RBAC system. This one is an individual that has access to his computer system. Each individual has an associated user IDF a. User b. Role c. Permission d. Session
a. User
34
There are four entities in an RBAC system. This one is a named job function within the organization that controls this computer system. Typically, associated with each [ ] is a description of the authority and responsibility conferred to it, and on any user who assumes this [ ] a. User b. Role c. Permission d. Session
b. Role
35
There are four entities in an RBAC system. This one is an approval of a particular mode of access to one or more objects. Equivalent terms are access right, privilege, and authorization a. User b. Role c. Permission d. Session
c. Permission
36
There are four entities in an RBAC system. This one is a mapping between a user and an activated subset of the set of roles to which the user is assigned a. User b. Role c. Permission d. Session
d. Session
37
Constraints provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. A constraint is a defined relationship among roles or a condition related to roles. This RBAC constraint refers to setting a maximum number with respect to roles. One such constraint is to set a maximum number of users that can be assigned to a given role. a. Mutually Exclusive Roles b. Cardinality c. Prerequisite Roles
b. Cardinality
38
Constraints provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. A constraint is a defined relationship among roles or a condition related to roles. This RBAC constraint refers to roles such that a user can be assigned to only one role in the set a. Mutually Exclusive Roles b. Cardinality c. Prerequisite Roles
a. Mutually Exclusive Roles
39
Constraints provide a means of adapting RBAC to the specifics of administrative and security policies in an organization. A constraint is a defined relationship among roles or a condition related to roles. This RBAC constraint refers to dictating a user can only be assigned to a particular role if it is already assigned to some other specified role. a. Mutually Exclusive Roles b. Cardinality c. Prerequisite Roles
c. Prerequisite Roles
40
T/F: The main obstacle to adoption of ABAC is the concern about the performance impact. Its evaluation is predicated on both resource and user properties for each access.
True
41
What are the 3 key elements to an ABAC model?
Attributes: defined for entities in a configuration Policy Model: defines the ABAC policies Architecture Model: applies to policies which enforce access control
42
There are three types of attributes for ABAC Model. This one is defined as: an active entity (e.g. a user, an application, a process, or a device) which causes information to flow among objects or changes the system state a. Subject Attributes b. Object Attributes c. Environmental Attributes
a. Subject Attributes
43
There are three types of attributes for ABAC Model. This one is defined as: a resource. Is a passive information system-related entity (e.g. devices, files, records, tables, processes, programs, networks, domains) containing or receiving information a. Subject Attributes b. Object Attributes c. Environmental Attributes
b. Object Attributes
44
There are three types of attributes for ABAC Model. This one is defined as: the operational, technical, and even situational environment or context in which the information access occurs. a. Subject Attributes b. Object Attributes c. Environmental Attributes
c. Environmental Attributes
45
T/F: Privileges in ABAC are a set of rules and relationships which govern allowable behavior within an organization, based on the privileges of subjects and how resources or objects are to be protected under which environment conditions.
False. Defined is a policy in ABAC.
46
T/F: Policy in ABAC represent the authorized behavior of a subject (also called rights, authorizations, or entitlements).
False. This is the definition for privileges in ABAC
47
This is a comprehensive approach to managing and implementing digital identities, credentials, and access control. a. ICAM b. Identity Management c. RBAC d. Privilege Management
a. ICAM (Identity, Credential, and Access Management)
48
This is concerned with assigning attributes to a digital identity and connecting that digital identity to an individual or NPE. The goal is to establish a trustworthy digital identity that is independent of a specific application or context. a. ICAM b. Identity Management c. RBAC d. Privilege Management
b. Identity Management
49
List the elements of identity lifecycle management.
a. Mechanisms, policies, procedures for protecting PII b. Controlling access to identity data c. Techniques for sharing authoritative identity data with applications which need it d. Revocation of an enterprise identity
50
This is an object or data structure which authoritatively binds an identity to a token possessed and controlled by a subscriber a. Privilege b. User c. Role d. Credential
d. Credential
51
There are three supporting elements which are needed for an enterprise-wide access control facility. This one is the element concerned with defining rules for a resource which requires access control. a. Resource Management b. Privilege Management c. Policy Management
a. Resource Management
52
There are three supporting elements which are needed for an enterprise-wide access control facility. This one is the element concerned with establishing and maintaining the entitlement attributes that comprise an individual's access profile. a. Resource Management b. Privilege Management c. Policy Management
b. Privilege Management
53
There are three supporting elements which are needed for an enterprise-wide access control facility. This one is the element concerned with governing what is allowable and not allowed in an access transaction. a. Resource Management b. Privilege Management c. Policy Management
c. Policy Management
54
Multiple Selection: What are the requirements of a trusted computing base (TCB)? a. User Experience b. Tamper Proof c. Reliability d. Complete Mediation e. Correctness
b. Tamper-Proof: untrusted code should not be able to tamper with code or data which make up the TCB d. Complete Mediation: TCB must be a reference monitor. Every reference from a resource that needs to be protected must go through the TCB. There should be no way to bypass this. e. Correctness: since we put all our trust in the TCB, it must be correct.
55
Which Type of control is based on the identity of the requestor and the access rules state what a requestor can or cannot do? A) Mandatory Access Control (MAC) B) Role-based access control (RBAC) C) Discretionary access control (DAC) D) Attribute-based access control (ABAC)
Answer C This policy is termed discretionary because an entity might have access rights that permit the entity, by its own volition, to enable another entity to access some resource. Source: Book Chapter 4.2 Page 131
56
T/F: Access Control Lists make it easy to look up who all the users are that can access a resource, and the type of access they have for that resource.
Answer True | Source: Book Chapter 4.3 Page 111
57
What does each entry of an access matrix indicate? A. Access rights of a particular object for a particular subject. B. Access rights of a particular subject for a particular object. C. Access rights of a particular subject for a particular directory. D. Access rights of a particular object for a particular group.
Answer B Source: Book pg. 111
58
T/F: DAC is a concept that evolved out of requirements for military information security.
Answer False DAC is the traditional method for implementing access control, MAC was created out of military necessity. Source: Book, Ch 4, Pg. 109
59
T/F: One problem with DAC is that it is not possible to control information flow.
Answer True Source: Mandatory Access Control Lecture
60
T/F: DAC is popular with corporations because it reflects how they treat their data.
Answer False Employers mandate explicit policies on who can share what. Source: Mandatory Access Control Lecture
61
An access control mechanism mediates between a user (or a process executing on behalf of a user) and system resources, such as: a) firewalls b) routers c) applications d) a & b only f) All of the above
f) All of the above | ch. 4, p. 108 of text
62
Which of the following is granting permission to a system entity to access a system resource? ``` A) Authentication B) Authorization C) Audit D) Allowance E) None of the Above ```
Answer B Authorization determines who is trusted for a given purpose Source: Book Chapter 4.1 Page 130
63
T/F: Access control implements a security policy that verifies the credentials of a user.
Answer False. Access control implements a security policy that specifies who or what may have access to each specific system resource, and the type of access that is permitted in each instance. Source: Book pg. 107
64
Under Mandatory Access Control (MAC), what two properties provide confidentiality: A) Read Up, Write Down B) No Read Up, No Write Down C) Read Up, No Write Down D) No Read Up, Write Down
Answer B) No Read Up, No Write Down No read up: A subject can only read an object of less or equal security level No write down: A subject can only write into an object of greater or equal security level. ch. 27, p. 27-2 text
65
T/F: A subject is said to have a security clearance of a given level and an object is said to have a security classification of a given level.
Answer True Source: Book Chapter 27 Page 27-4
66
For the Bell-Lapadula Model (BLP), the properties needed for the confidentiality form of MAC are: 1. ds-property and *-property 2. ss-property and *-property 3. ss-property and ds-property 4. None of the above
Answer 2. (Chapter 27.1) ss-property (simple security property): no read up *-property (star property): no write down The ds-property is a provision made by BLP for DAC but must be consistent with MAC rules.
67
T/F: Other MAC models such as Bell and La Padua (BLP Model) is focused on Integrity, and BIBA model is focused on Confidentiality.
Answer False BLP focuses on Confidentiality and BIBA focuses on Integrity Source: P1:L6 MAC slides | Other MAC models
68
T/F: Examples of BLP model classifications are High, Medium, and Low.
Answer False. Examples are Top Secret, Secret, Confidential Source: P1:L6 MAC slides | Other MAC models
69
T/F: MAC cannot be employed with other access control policies, such as DAC, RBAC, and ABAC.
Answer False All four access policies (DAC, MAC, RBAC, and ABAC) are not mutually exclusive Source: Book, Ch. 4, Pg. 109
70
______ is based on the roles that users assume in a system rather than a user’s identity. A. DAC B. MAC C. RBAC D. ABAC
Answer C Source: Book pg. 120
71
What aspect of an established RBAC system is likely to change infrequently? ``` A) The set of resources and the specific access rights associated with a particular role. B) The set of roles in the system. C) The set of users. D) A & B E) None of the above. ```
Answer D Source: Book. Ch 4, Pg 120
72
The RBAC prerequisite role can be used for the following: A) A way to increase the difficulty of collusion among individuals of different skills or divergent job functions to thwart security policies. B) For structuring the implementation of the least privilege concept. C) As a risk mitigation technique for a sensitive or powerful permission. D) None of the above
Answer B Source: Book, Ch 4, Pg 125
73
How does ABAC model controls access?
ABAC evaluates attributes of subject/object and access control rule defining allowable operation in a given environment Source: book p. 127
74
In the Attribute-Based Access Control (ABAC) model: current date and time, the current virus/hacker activities, and the network’s security level are known as ____ ``` A) Object attributes B) Subjects attributes C) Environment attributes D) Access Right E) None of the Above ```
Answer C environments describe the operational, technical, and even situational environment or context in which the information access occurs Source: Book Chapter 4.6 Page 149
75
In a(n) _____ model, authorizations can be defined that express conditions on properties of both the resource and the subject. A. DAC B. MAC C. RBAC D. ABAC
Answer D Source: Book pg. 126
76
The strength of the ABAC approach is its ________ and ________. A. strictness, performance B. flexibility, expressive power C. extensibility, ease of use D. None of the above
Answer B Source: Book pg. 126
77
T/F: Access Control Lists may have default entry that should always follow the rule of least privilege
Answer True Source: book p.111
78
T/F: The columns of an Access Control Matrix are Access Control Lists.
Answer True The matrix may be decomposed by columns, yielding access control lists (ACLs) (see Figure 4.2b). Decomposition by rows yields capability lists (see Figure 4.2c). Source: Book chapter 4.3 page 133
79
In Unix, a user (U) can run with the permission of the file creator (C) under what condition(s)? a) U has execute privileges b) C has read, write, and execute permissions c) Set User ID d) Set Group ID e) a & c f) all of the above
Answer E
80
Multiple Choice: What contents exist inside of a file’s inode? a) Environmental Variables b) Answer Owner ID c) Group ID d) User ID e) 12 protection bits
Answer b), c), e)
81
What is an inode (index node)? A.) An inode is part of a linked list design for memory storage B.) An inode is a special directory only to bee seen by root C.) An inode is a control structure that contains information needed by the OS for a file. D.) An inode is a user permission for a given user group.
Answer C Page 117
82
T/F: An inode contains all information about a file.
Answer False inode’s don’t contain the file name and actual data
83
The concept of inheritance enables one role to implicitly include access rights associated with a subordinate role. What role-based access control makes use of this concept?
Answer: Role Hierarchy Source: book p.124
84
What is the initial requirement for performing user authentication? A.) User must be registered within the system. B.) A token must be verified C.) A digital signature needs to be authenticated D.) A multi factor system has to be in place
Answer A Page 65
85
What are examples of static vs dynamic biometric recognition? A.) Dynamic biometric could be a fingerprint and Static could be a voice pattern B.) Dynamic can be face recognition and static could be fingerprint C.) Dynamic is when you have an electronic keycard and static is a fingerprint D.) Static biometric is a fingerprint and dynamic biometric is a voice pattern
Answer D Page 66
86
The means for authenticating a user can be summarized in general terms by four things. What are the four things? A.) Something the user knows, possesses, is and does. B.) Something the user knows, possesses, is and wants C.) Something the user can see, knows, wants and doesn’t have D.) something the user knows, is, wants and does
Answer A Page 66
87
Bad person Eve walks up to the system and says she is Alice, and successfully logs in as Alice. This authentication outcome is a: A.) False negative B.) False positive
Answer B P1:L4 Authentication (Authentication Goals video slide)
88
A ________ is a set of programs installed on a system to maintain covert access to that system with administrator or root privileges, while hiding evidence of its presence to the greatest extent possible
Answer Rootkit Source: Book Page 212
89
A rootkit can be classified into which of the following characteristics: ``` A.) Persistent B.) Memory Based C.) User Mode D.) Kernel Mode E.) Virtual Machine based F.) External Mode G.) All of the above ```
Answer G Source: Book page 312
90
A rootkit can be classified into _______ this is when the rootkit intercepts calls to APIs and modifies the returned results. A.) Memory based B.) User Mode C.) Kernel Mode D.) External mode
Answer B.) User Mode Source Book page 212
91
What type of rootkit can not survive a reboot and why not? A.) Kernel Mode and because there is no user intervention B.) Persistent and because the firewall flushes the rootkit out C.) Memory based and there is no persistent code D.) External Mode and because it is located in the BIOS
Answer C Page 212: The book says “Memory based rootkits have no persistent code and therefore can not survive a reboot”
92
Which of the following are valid defenses against Client Attacks on a user authentication system? I. Use passwords and pins with high entropy II. Protect the password database III. Implement a challenge-response protocol IV. Limit authentication attempts a. I and II b. I and IV c. II and IV d. II and III e. I, II, and IV
Answer: B (I and IV)
93
T/F: The three A's of access control are Authentication, Authorization, and Allowance
False. Third "A" is Audit