access control

Question 1

access control

Answer 1

a collection of mechanisms that work together to create security architecture to protect the assets of an information system

Question 2

security policy

Answer 2

states who is allowed to do what

Question 3

what are some examples of objects

Answer 3

file
directory
data
service

Question 4

authorisation

Answer 4

checks whether a request for an object can be granted
the act of setting the security policy

Question 5

reference monitor

Answer 5

the guard enforcing the policy

Question 6

access control list

Answer 6

attached to each object in a system

Question 7

accountability

Answer 7

a security goal that allows actions of an entity to be tracked back to that entity

Question 8

what are some benefits of accountability

Answer 8

can investigate parties involved in a breach
can check whether an organisation is following regulations
allows for deterrence, fault isolation, intrusion detection and prevention

Question 9

physical access control

Answer 9

using locks security guards badges etc to control people/vehicles entering a protected area via authentication and authorisation
prevents gaining physical access into the system

Question 10

information/asset owner

Answer 10

responsible for who uses the system and how to recover it in a disaster

Question 11

logical access control

Answer 11

prevents logical (usually remote) access via the validation of a users identity

Question 12

confidentiality in CIA

Answer 12

protect data and personal privacy from leakage

Question 13

integrity in CIA

Answer 13

ensure accuracy completeness consistency and validity of the organisations or a persons data

Question 14

availability in CIA

Answer 14

data should be available when requested

Question 15

in which four ways can we allocate privileges

Answer 15

mandatory access control
discretionary access control
the least privilege
role based access control

Question 16

mandatory access control

Answer 16

the security policy is centrally controlled by a policy/security administrator therefore the rules are set by the system and enforced for all users

Question 17

what is access based on in mandatory access control

Answer 17

subjects objects and labels

Question 18

subjects in mandatory access control

Answer 18

people or other systems that are granted clearance

Question 19

objects in mandatory access control

Answer 19

assets being protected

Question 20

labels in mandatory access control

Answer 20

binds the object to the subject
defines whether a subject can access an object based on the labels classification

Question 21

discretionary access control

Answer 21

decentralised
allows the object owner to grant permissions to other users

Question 22

what does the access control list contain in discretionary access control

Answer 22

user id file names and permissions

Question 23

what are some examples of permissions

Answer 23

read
write
update
delete
rename
execute

Question 24

the least privilege

Answer 24

giving people the least amount of access required to do their job

Question 25

what is the benefit of using the least privilege

Answer 25

lesser risk of leaking data and compromising the integrity

Question 26

role based access control

Answer 26

each user is assigned to a group then assigning access control rights to each group

Question 27

benefits of role based access control

Answer 27

good for high number of employees and frequently changing roles
stops a single user from becoming too powerful

Question 28

what must we do before handing over privileges

Answer 28

check identity and the handover phase must be secure

Question 29

how do we record privileges

Answer 29

using logs

Question 30

why do we monitor access

Answer 30

helps notice abnormal behaviour
users may become malicious via malware on their device
collect data for security incidents
identification and authentication mechanisms may be vulnerable
users may want to extend privileges illegally

Question 31

why do we monitor password systems

Answer 31

evidence of password experimentation (forgetting it)
evidence of logins when the user is absent

Question 32

audit policies

Answer 32

define which events will be logged

Question 33

event logs

Answer 33

used by accountability
attackers may hide their traces by deleting relevant logs but they shouldnt be able to tamper with the evidence already logged

Question 34

hashing

Answer 34

using a hash function to encrypt plaintext

Question 35

what are the 2 things that hashing must do

Answer 35

be one way; it can only be solved via brute force
be collision resistant; cybertext shouldnt have duplicates

Question 36

salting

Answer 36

adding random data to the pw before hashing
the salt is stored with the encrypted data

Question 37

what are benefits of salting

Answer 37

prevents cracking methods
the same string will hash into different values at different times
users with the same password will have different encrypted passwords stored

Question 38

brute force attacks

Answer 38

guaranteed to work eventually
must determine the alphabet used as some special characters are excluded from passwords

Question 39

rainbow table attacks

Answer 39

predocumented lookup table for storing hashes

Question 40

dictionary attacks

Answer 40

only work if the pw is already in the dictionary