Access Control Flashcards
What are the four Access Control Models
MAC (Mandatory AC) , DAC (Discretionary AC), RBAC (Role Based AC), ABAC (Attribute Based AC)
Describe DAC
Discretionary Access Control is when the Access control policy is determined by the owner of the network resource.
When a folder is created by a user, they have the ability to choose who has access to the folder and what level of access they have
What are the requirements of DAC
- Every object in a system must have an owner.
- Each owner determines access rights and permissions for each object
Describe MAC
Mandatory Access Control is a model where the computer system determines the access control for a user.
MAC relies on security labels being assigned to every user (subject) and every file/folder/device or network connection (object)
What is a security label
A label assigned to a subject or object within MAC. Data labels create trust levels for all subjects and objects, and to access objects you must meet the minimum or greater trust level.
How is MAC implemented
MAC used rule based and lattice based access control methods. Both are sub access control methods that rely on data labels.
Describe Rule Based AC
A SUB Access Control of MAC
Label based access control that defines whether access should be granted or denied to objects by comparing the object label and subject label
Describe LBAC
A SUB Access Control of MAC
Lattice based Access control - utilizes complex mathematics to create sets of object and subjects that define how they interact.
True or False: MAC is an industry best practice
False: MAC is only used in high security environments due to its complex and expensive configuration
True or False: MAC is a feature in FreeBSD and SeLinux
True
Describe ABAC
Attribute based access control is a dynamic and context aware model that uses if then statements with Tags and dynamic authentication.
Describe Role Based Access Control RBAC
Role Based Access Control
Model that is controlled by the system but utilized a set of permissions instead of a single data label to define permission levels.
Access based on job function is RBAC
**Power User accounts are RBAC Permissions
What are the best practices for Access Control
Implicit deny
Least Privilege
Separation of Duties
Job Rotations
Explain Implicit deny and least privilege
Implicit deny - All resources should be denied by default and only allowed when explicitly stated.
Least Privilege - Users should have he lowest level of access needed to perform their job function - similar to “Need to Know” aspect of MAC.
Explain Separation of Duties and Job Rotations
Separation of duties
includes requiring more than one person to conduct sensitive tasks or operations.
An example would be an admin having both a Standard user account and a power user account.
Job Rotation -
Users are cycled between jobs to learn operations reduce burnout and boredom.
Helps employees learn new skills in addition to identifying theft and fraud.